Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
K_montalvo
Advisor
Jump to solution

Remote Access VPN Authentication Failure

Hello Experts!

We are currently experiencing issues with the Remote Access VPN. The issue is when new user is created on the existing (Working) ClientlessVPNGroup and try to connect via browser fails the login with the error: "Unknown user". T/S was made creating new users using the same default template and the same results. However when creating new user on the internal AD which is part of the same RemoteAcessVPN Community and FW Rule it authenticates without issues. Publish & Install and Install Database was properly done.


Current environment:
SMS r81.10 (Was upgraded like 19 days ago from r80.30 to r81.10 and everything was seamlessly working until yesterday.
Cluster (2 Gateways) running r80.30

Only change that was made yesterday was on the default template object witch is included on the uploaded file. I Appreciate any tips or suggestions on this issue.

Thanks,

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Champion
Champion

Sounds like the ranges specified in the Translated Source field are incorrectly set for static instead of hide.  You can right-click in that field and force it to Hide.  If this is not the case please post a screenshot of the NAT rules in question.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

(1)
17 Replies
the_rock
Legend
Legend

Hey bro,

Did you make sure user belongs to the group allowed to access stuff via remote access community?

Andy

K_montalvo
Advisor

Yeah brother!

0 Kudos
the_rock
Legend
Legend

Normally, if you add user via AD, say if you have radius auth (just as an example) and AD integrated via dashboard, sometimes you may need to push policy to reflect the changes, though in most cases, it would reflect right away.

Andy

K_montalvo
Advisor

Yeah push policy was done with new AD user and worked but the issue at the moment is presented when creating new local users, current existing local users on the same group are working.

0 Kudos
the_rock
Legend
Legend

Email me some screenshots directly, let me check.

K_montalvo
Advisor

Done buddy!

0 Kudos
the_rock
Legend
Legend

K, just send zoom or webex, I think I can figure this out quick...Im sure its some minor misconfiguration.

K_montalvo
Advisor

Done

0 Kudos
Timothy_Hall
Champion
Champion

Sounds suspiciously similar to the following, what happens if you set the template expiration date to 2029 instead of 2030 and then create a user with it?

sk167103: Expiration Date configured to after 2030 is considered as expired

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
K_montalvo
Advisor

Thanks for the suggestion @Timothy_Hall  will try that and keep you guys posted of the results.

the_rock
Legend
Legend

@Timothy_Hall ...I just did remote with @K_montalvo and since we could not look at the actual environment, we went through some basic setup on lab mgmt and I also saw that for one customer I always help with, any local vpn users are by default set to same date (December 31st, 2030) and works fine. I believe sk you mentioned strictly references to new admin, as "never" option is not there for vpn user. Either way, I asked Kenny to try change it to say 2025 and see if it makes any difference. Personally, though I showed him the option for mobile access via blades (under manage and settings), considering this is the only user with a problem, does not logically sound like its an issue with the MA blade configuration. Regardless, they will test all we discuss and update us.

Andy

K_montalvo
Advisor

@the_rock @Timothy_Hall I was able to do T/S today and posibbly identified the issue:

What we are seeing is and error when the Standard Access Policy installation could that be the issue? If so can you guys guide me if theres a command to fix it or steps i shall follow to resolved the issue?

I really appreciate your help!

Thanks!Screenshot.PNG

0 Kudos
Timothy_Hall
Champion
Champion

Sounds like the ranges specified in the Translated Source field are incorrectly set for static instead of hide.  You can right-click in that field and force it to Hide.  If this is not the case please post a screenshot of the NAT rules in question.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)
K_montalvo
Advisor

Hello,

This was actually the issue with a source network with a /16 translated to a /24 on a couple of NAT rules created a couple years ago. Somehow they started to present the issue recently. The TAC was also very helpful.

0 Kudos
the_rock
Legend
Legend

Hey buddy,

@Timothy_Hall is absolutely right. Sounds like nat method is wrong if thats the message you are seeing. Can you paste actual NAT rule?

Andy

K_montalvo
Advisor

Hello buddy,

Yeah what @Timothy_Hall  posted above was the issue. I know if in the remote session yesterday with you had access to the actual environment you would figure it out. Many thanks as always for your support and friendship!

0 Kudos
the_rock
Legend
Legend

Any time, no problem at all. @Timothy_Hall is the man, I think he knows everything CP related, so always amazing resource.

HAPPY NEW YEAR!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events