- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Remote Access VPN Authentication Failure
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remote Access VPN Authentication Failure
Hello Experts!
We are currently experiencing issues with the Remote Access VPN. The issue is when new user is created on the existing (Working) ClientlessVPNGroup and try to connect via browser fails the login with the error: "Unknown user". T/S was made creating new users using the same default template and the same results. However when creating new user on the internal AD which is part of the same RemoteAcessVPN Community and FW Rule it authenticates without issues. Publish & Install and Install Database was properly done.
Current environment:
SMS r81.10 (Was upgraded like 19 days ago from r80.30 to r81.10 and everything was seamlessly working until yesterday.
Cluster (2 Gateways) running r80.30
Only change that was made yesterday was on the default template object witch is included on the uploaded file. I Appreciate any tips or suggestions on this issue.
Thanks,
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds like the ranges specified in the Translated Source field are incorrectly set for static instead of hide. You can right-click in that field and force it to Hide. If this is not the case please post a screenshot of the NAT rules in question.
CET (Europe) Timezone Course Scheduled for July 1-2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey bro,
Did you make sure user belongs to the group allowed to access stuff via remote access community?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah brother!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Normally, if you add user via AD, say if you have radius auth (just as an example) and AD integrated via dashboard, sometimes you may need to push policy to reflect the changes, though in most cases, it would reflect right away.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah push policy was done with new AD user and worked but the issue at the moment is presented when creating new local users, current existing local users on the same group are working.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Email me some screenshots directly, let me check.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Done buddy!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
K, just send zoom or webex, I think I can figure this out quick...Im sure its some minor misconfiguration.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Done
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds suspiciously similar to the following, what happens if you set the template expiration date to 2029 instead of 2030 and then create a user with it?
sk167103: Expiration Date configured to after 2030 is considered as expired
CET (Europe) Timezone Course Scheduled for July 1-2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the suggestion @Timothy_Hall will try that and keep you guys posted of the results.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Timothy_Hall ...I just did remote with @K_montalvo and since we could not look at the actual environment, we went through some basic setup on lab mgmt and I also saw that for one customer I always help with, any local vpn users are by default set to same date (December 31st, 2030) and works fine. I believe sk you mentioned strictly references to new admin, as "never" option is not there for vpn user. Either way, I asked Kenny to try change it to say 2025 and see if it makes any difference. Personally, though I showed him the option for mobile access via blades (under manage and settings), considering this is the only user with a problem, does not logically sound like its an issue with the MA blade configuration. Regardless, they will test all we discuss and update us.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@the_rock @Timothy_Hall I was able to do T/S today and posibbly identified the issue:
What we are seeing is and error when the Standard Access Policy installation could that be the issue? If so can you guys guide me if theres a command to fix it or steps i shall follow to resolved the issue?
I really appreciate your help!
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds like the ranges specified in the Translated Source field are incorrectly set for static instead of hide. You can right-click in that field and force it to Hide. If this is not the case please post a screenshot of the NAT rules in question.
CET (Europe) Timezone Course Scheduled for July 1-2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
This was actually the issue with a source network with a /16 translated to a /24 on a couple of NAT rules created a couple years ago. Somehow they started to present the issue recently. The TAC was also very helpful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey buddy,
@Timothy_Hall is absolutely right. Sounds like nat method is wrong if thats the message you are seeing. Can you paste actual NAT rule?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello buddy,
Yeah what @Timothy_Hall posted above was the issue. I know if in the remote session yesterday with you had access to the actual environment you would figure it out. Many thanks as always for your support and friendship!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any time, no problem at all. @Timothy_Hall is the man, I think he knows everything CP related, so always amazing resource.
HAPPY NEW YEAR!
