Hello,
I am currently investigating an issue one of our customers has wih AD-Query in Identity Awareness.
Initially the problem reported was occurences of "A secondary session request was received from the same IP. This caused logout of the current session", in combination with users complaining about access problems. They were getting the blockpage instead of access that should be allowed for this user or group. The customer suspects that these secondary session logouts are causing the problems.
After looking at the logs, I think the problem might be something else, but I can not make sense of it(yet). I am still fairly new to Check Point, so maybe I am missing something here.
Here is one example of events from the logs, where the problem occured last week:
08:01:12: machine authentication(AD Query)
connections from machine, no user yet: access denied
08:02:38: user authentication(AD Query)
connections: access allowed based on user/group rules, source username in logs
08:02:54: A secondary session request was received from the same IP. This caused logout of the current session(AD Query)
connections: access still allowed, seeing source user name in logs
08:14:28: Machine authentication(AD Query)
connections: access denied, no source user name listed, only machine as source
08:21:58: "A secondary session request was received..."(AD Query)
connections: access allowed again, source user name in logs
To me it seems the user does not get logged out in between. The secondary Session notification says it does cause a logout, but shouldn't I see another user login on the same time then, the one that caused this?
I am confused by this and I would really like to understand what exactly is happening here. Is there any way to find out what exactly does cause these secondary session events or why the access for the user is not working anymore after the machine logs back in?
The customer already tried looking up the events in the Domain Controller, but while seeing them there, there is also no info on what exactly caused them.
Also this is not happening very often and cannot be reproduced manually, which makes debugging this a bit harder. Any help on how to find this out would be much appreciated.
Cheers,
Alex