KB22831 - Users gets disconnected from SSL VPN when the internal port's device certificate is changed and if only Host Checker is enabled at the realm level

This article describes the issue of users being disconnected from SSL VPN, when the internal ports device certificate is changed and if only Host Checker is enabled at the realm level.

 

• Host Checker is enabled at the realm level.

 

• Users are able to successfully logon and access applications.

 

• In the mean time, the administrator changes the internal port's device certificate to another one.

 

• Host checker perform a check and when the value is reached, users are completely disconnected from the session.

 

• When the page is refreshed, the Host Checker evaluation re-occurs and prompts the user to login.

 If Host Checker is disabled for the users, users will still be connected; even after the device certificate is changed. This issue occurs when the Host checker policy is enabled, as the SSL connection should re-negotiate; if the server certificate is changed. This means that the certificate hash was changed.

So this is working as designed.


User access Log :

AUT23447 2012-01-27 07:31:26 - ive - [10.130.35.47] Root::System()[] - Host Checker running on host 10.130.35.47 will exit as the user login timed out.
Info AUT22923 2012-01-27 07:26:27 - ive - [10.130.35.47] Root::System()[] - Host Checker policy 'test' passed on host 10.130.35.47 .
Info AUT22923 2012-01-27 07:21:26 - ive - [10.130.35.47] Root::System()[] - Host Checker policy 'test' passed on host 10.130.35.47 .
Info NWC23465 2012-01-27 07:18:19 - ive - [10.130.35.47] Root::jtac(jtac)[jtac] - Network Connect: Session ended for user with IP 10.9.222.34
Info ERR24670 2012-01-27 07:18:19 - ive - [10.130.35.47] Root::jtac(jtac)[jtac] - Network Connect: ACL count = 0.
Info JAV20023 2012-01-27 07:18:19 - ive - [10.130.35.47] Root::jtac(jtac)[jtac] - Closed connection to TUN-VPN port 443 after 480 seconds, with 351 bytes read (in 1 chunks) and 264 bytes written (in 4 chunks)
Info AUT23181 2012-01-27 07:18:04 - ive - [10.130.35.47] Root::jtac(jtac)[jtac] - Session for user jtac on host 10.130.35.47 has been terminated.
Info AUT22927 2012-01-27 07:18:04 - ive - [10.130.35.47] Root::jtac(jtac)[jtac] - System process detected a Host Checker time out on host 10.130.35.47 for user 'jtac' (last update at 2012-01-27 07.07.49 +0530 IST).
Info NWC30477 2012-01-27 07:10:31 - ive - [10.130.35.47] Root::jtac(jtac)[jtac] - Network Connect: User with IP 10.9.222.34 connected with ESP transport mode.
Info NWC23508 2012-01-27 07:10:31 - ive - [10.130.35.47] Root::jtac(jtac)[jtac] - Key Exchange number 1 occured for user with NCIP 10.9.222.34
Info JAV20021 2012-01-27 07:10:19 - ive - [10.130.35.47] Root::jtac(jtac)[jtac] - Connected to TUN-VPN port 443
Info NWC23464 2012-01-27 07:10:19 - ive - [10.130.35.47] Root::jtac(jtac)[jtac] - Network Connect: Session started for user with IP 10.9.222.34, hostname slash-lap-03-377
Info ERR24670 2012-01-27 07:10:19 - ive - [10.130.35.47] Root::jtac(jtac)[jtac] - Network Connect: ACL count = 1.
Info AUT22670 2012-01-27 07:08:39 - ive - [10.130.35.47] Root::jtac(jtac)[jtac] - Login succeeded for jtac/jtac (session:00000000) from 10.130.35.47.
Info AUT23278 2012-01-27 07:08:39 - ive - [10.130.35.29] Root::jtac(jtac)[jtac] - Host Checker realm restrictions successfully passed for jtac/jtac
Info AUT24326 2012-01-27 07:08:39 - ive - [10.130.35.47] Root::jtac(jtac)[] - Primary authentication successful for jtac/System Local from 10.130.35.47
Info AUT22923 2012-01-27 07:07:49 - ive - [10.130.35.47] Root::System()[] - Host Checker policy 'test' passed on host 10.130.35.47 .

Host Checker had initially passed at 07:07:49, the user is able to logon, and the Host Checker realm successfully passed for JTAC. The user then launches Network Connect and accesses the resource.


After the administrator changes the device certificate at 07:18:19, the user noticed the Host checker timeout and the session has been terminated error message.