topic Re: VPN Remote access-users can't connect-keep getting prompt for login in SASE and Remote Access

VPN Remote access-users can't connect-keep getting prompt for login

flachance — Thu, 01 Sep 2022 18:34:04 GMT

Last Monday during the evening several users had issues connecting VPN Remote Access.

They would enter their VPN login information and 1 minute later the pop-up for the login prompt would appear again.

This went on for several hours. Everything was working fine for those users during the day and it was working fine again the day after.

How can I find what caused this and ensure it doesn’t happen again?

For two of them I have a Failed Login in the logs with reason ‘Could not obtain user object. Timeout reached.’ But for the others, I’m not seeing anything that stands out.

The clients are E86.20. The gateway is R80.40. The management server is R81.10 (updated from R80.40 approximately two weeks before the incident)

Anyone has seen this issue before or has anything to suggest in where to investigate to identify the cause?

Thanks

Re: VPN Remote access-users can't connect-keep getting prompt for login

Chris_Atkinson — Fri, 02 Sep 2022 07:25:19 GMT

If this issue went away by itself have you considered / eliminated an ISP issue or was VPN the only noted impact?

Also for awareness enhancements in the E86.30 client include:

ESVPN-3237

Enhancement: In the roaming feature, when a VPN client works in Hub Mode with "Exclude local network" enabled, the user now does not have to re-enter credentials in case of a short network outage.

Re: VPN Remote access-users can't connect-keep getting prompt for login

flachance — Fri, 02 Sep 2022 12:41:08 GMT

Yes I've considered the ISP. I'm aware of one user in the past with a similar issue for which the problem was fixed after he switched ISP. In this case I've got several users over at least three different regions. Of course our own ISP reports no issue...

Nobody has reported any other issue during that period but since it was in the evening there wasn't a lot of people working.

I tried using cpview -t to see if I could see anything out of the ordinary for that timeframe but all I'm getting is 'History is initializing'. I tried the troubleshooting steps of sk101878 but it doesn't work.

Anything else I can look at to see if the gateway was having issue during that period.

That E86.30 enhancements is great. Time to schedule an upgrade 🙂

Re: VPN Remote access-users can't connect-keep getting prompt for login

flachance — Tue, 06 Sep 2022 17:41:09 GMT

Something else I noticed during the same timeframe is a lot of Alert logs with reason "Firewall - Domain resolving error. Check DNS configuration on the gateway (0)"

Not sure if this is an issue since it doesn't drop or block, it just gives an alert. But it seems like an odd message and it happened around the same time

Re: VPN Remote access-users can't connect-keep getting prompt for login

Chris_Atkinson — Tue, 06 Sep 2022 23:27:34 GMT

Are the configured DNS servers internal or external/public ones?

Re: VPN Remote access-users can't connect-keep getting prompt for login

flachance — Wed, 07 Sep 2022 11:59:06 GMT

internal. Primary is from our internal domain. Secondary is our DMZ domain (non-public) and tertiary internal domain again.

Re: VPN Remote access-users can't connect-keep getting prompt for login

the_rock — Wed, 07 Sep 2022 12:35:13 GMT

We had case with TAC for similar issue and once customer installed newer VPN client version (cant recall which one now, I believe e86.40), issue went away.

Re: VPN Remote access-users can't connect-keep getting prompt for login

flachance — Thu, 08 Sep 2022 13:31:49 GMT

Also the DNS servers are Windows servers 2019. Looking a some DNS logs on those servers I see entries constantly repeating.

"The DNS server received a bad TCP-based DNS message from 10.100.0.3. The packet was rejected or ignored. The event data contains the DNS packet."

That's the IP of the gateway.