Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HappyByte
Participant

Missing Log on Log server

Hello,

does anyone experience the following scenario:

TEST SCENARIO:

Logging on VPN server (Mobile Access Blade, 80.30) with Endpoint Security VPN.
t(0) time - Log In with timestamp in Logs
t(1) time - after VPN session timeout (10hours 30min) Re-Authenticated in less than 60 seconds
t(2) time - Log Out with timestamp in Logs

TEST SCENARIO RESULTS:

Checking logs on log server there is missing t(0) timestamp with Log In information
t(1) time - shows Log In with t(1) timestamp in Logs
t(2) time - shows Log Out with t(2) timestamp in Logs

EXPECTED:

t(0) time - Log In with t(0) timestamp
t(1) time - Log In Re-Authenticated with t(1) timestamp
t(2) time - Log Out with t(2) timestamp

In basic scenario, using VPN session for less than VPN Re-authenticate sesson timeout, both LogIn and LogOut are in log results.

GlobalProperties, Remote Access:
Re-authenticate user every: 630min (10h 30min)


thank you.

9 Replies
PhoneBoy
Admin
Admin

Remote Access VPN can actually be served by either Mobile Access Blade or the VPN blade.
Are you looking for both types of logs when you check for this?
If you have Identity Awareness enabled with Remote Access as one of the identity sources, there should be a log for that association as well.

HappyByte
Participant

Hello PhoneBoy,

yes, both are checked. Normally LogIn and LogOut are logged as part of Mobile Access Blade.

Interesting part is that LogIn in t(0) timestamp was visible in first hours (during 10hours30min period).

Although the LogIn t(0) timestamp is missing there are visible 'Key Install' logs on VPN Blade after t(0) timestamp.

0 Kudos
PhoneBoy
Admin
Admin

If you can consistently reproduce this, it might be worth a TAC case.

0 Kudos
HappyByte
Participant

Tested and successfully reproduced.

Logged In, t(0) timestamp visible in logs before Re-authentication.

After Re-authentication at t(1), t(0) timestamp disappeared, t(1) visible.

Screenshot: missing LogIn timestamp at 7:35:59

0 Kudos
PhoneBoy
Admin
Admin

I think what's actually happening here is that we are updating the original log entry with the new Log In time.
Believe you can confirm this by opening the log card and reviewing it. 

0 Kudos
HappyByte
Participant

Possible. But as stated, expected is to keep original LogIn at t(0) as valuable information.

Solved, using external log server infrastructure.

PhoneBoy
Admin
Admin

Can you open the log card and confirm what I'm saying?
Whether it should do that or not is a separate question, but I believe this is the intended behavior.

0 Kudos
HappyByte
Participant

I can confirm both log cards (missing one from t(0) and Re-Authenticated at t(1)) have the same Mobile Access Session UID.

0 Kudos
the_rock
Advisor

I think what you wrote makes sense, but I also do agree with phoneboy's response as well.

0 Kudos