Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
andquesada
Participant

Remote vpn login logs are rewrite after authentication timeout (R80.20)

 

Hi,

I hope someone can help me with the next issue;

When remote vpn users connect to office, we can see the login log; however when authentication timeout is reached and they put back the credentials they can connect without problem; but the first login log doesn´t  appers and just appers the new login connection; is like the log was rewrited.

 This log was from 5/5/2020 (first login)

image.png

and then, after reauthentication the first login log doesn´t appear just the new login.

image.png

In firewall rule I´m using all the track options but still not working.

image.png

Is a distributed environment with a dedicated smartevent server all in R80.20.

Thanks in advance

 

 
 
 
 

 

0 Kudos
10 Replies
Timothy_Hall
Champion
Champion

Try unchecking "Per Session" in your Track options for that rule, I think that is what is consolidating/amending your logs.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
andquesada
Participant

Thanks Timonthy;
I´ve already tried the following combinations:
1) Log + per connection : Failed
2) Log + per connection + per session : Failed
3) and the last one was: Log + per connection + per ssesion :Failed
Now I´m gonna use your suggestion and wait for reauthentication time waiting a good new.
0 Kudos
andquesada
Participant

Hi @Timothy_Hall ;

I did what you suggested; but the log still is being overwritten.

First Login was yesterday at 7:49:39; 

image.png

Then after user´s reauthentication the log is overwritten

image.png

Any other recommendation?

Thanks in advance for your help

0 Kudos
PhoneBoy
Admin
Admin

Sounds like expected behavior but it might be worth a TAC case.
0 Kudos
lucafabbri365
Collaborator

Hello guys,
I'm experiencing (it seems) the same behavior posted here: Mobile Access Log In and Log Out.

I opened a support ticket because, even if "expected", it doesn't make sense to me: why re-writing a past log entry ?!? Logs, in general, shouldn't be touched once written, isn't it ?

Bye,
Luca

0 Kudos
andquesada
Participant

Hi @lucafabbri365 

I apologize because I put the SmartEvent was in R80.20; the SmartEvent version is R80.10; the cluster and mgmt are in R80.20

Anyway, before open a TAC case I put the last Jumbo hotfix for R80.10 (take_272) and today I did a the same test and now it works  as it should.

image.png

 The first  login log

image.png

And now I see the login action of the re-authentication. I´m not sure why it appers as correlated and not as simple log but now the log is not overwrite.

image.png

 I suggest you to do the same; Jumbo HF Take_141 is the last jumbo HF for R80.20 and you said you has Take 80; so maybe  It could help you.

lucafabbri365
Collaborator

Hello @andquesada,
thank you for your suggestion.

We planned to install last Hotfix in GA (141) next 20th of May; there are some bug fixed routing around "log" world, so maybe it will be solved too.

I'll update this post.

Thank you,
Luca

 

lucafabbri365
Collaborator

Hello All,
just an update regarding this post: I finished to install hotfix 141 (Check Point R80.20); I'll monitor the behavior for a couple of days: I'll let you know if it solved.
I'm still waiting for an answer by Check Point support.

Bye,
Luca

0 Kudos
lucafabbri365
Collaborator

Hello Community,

this morning I didn't find log-in event (blade:"Mobile Access") occurred yesterday morning for a user; maybe substituted by log-in event occurred yesterday afternoon. This issue doesn't occur every day: looking at previous events, for the same user, log-ins events are there, untouched: I can find occurred both in the morning and in the afternoon.

However hotfix 141 didn't fix the issue. I updated support ticket with these information and waiting for an answer.

Bye,
Luca

0 Kudos
lucafabbri365
Collaborator

Hello guys,

I have another question regarding logs in general (let me know if it would be better to open another CheckMates post): referring to Mobile Access logs (blade:"Mobile Access") I see "duplicated" log entries (same Time, same Source, same User, same Mobile Access Session UID) coming from both active and standby firewall nodes  (Origin column); it happens for SOME users only, WHY ? I don't think it is a "normal" behavior because it happens for SOME users only (not ALL), not always.

Thank you,
Luca

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events