Reset Search
 

 

Article

KB40024 - [PPS][FIREWALL] Juniper SRX firewalls disconnect and reconnect at random times causing loss of access to protected resources

« Go Back

Information

 
Last Modified Date9/12/2015 10:06 AM
Synopsis
An end user complains of losing access to a protected resource behind a Juniper SRX firewall that is managed by a PPS appliance.

 
Problem or Goal
An end user complains of losing access to a protected resource behind a Juniper SRX firewall that is managed by a PPS appliance.

 
Cause
One cause of this issue may be related to the PPS appliance sending a duplicate auth table entry for the endpoint's IP address.

If the Juniper SRX firewall sees a duplicate auth table being provisioned, the uacd process on the Juniper SRX firewall is designed to disconnect and reconnect to the PPS appliance in order to reconcile the auth tables between the two devices.

This is by design.

To verify that this is in fact happening, the Juniper SRX administrator will need to enable trace options surrounding the uacd process.

Below are the Junos set commands to accomplish this.

set services unified-access-control traceoptions file uacd.log
set services unified-access-control traceoptions file size 10m
set services unified-access-control traceoptions file files 10
set services unified-access-control traceoptions flag all

The administrator will need to commit these settings and then monitor the connection between the Juniper SRX and the PPS appliance. 

When a disconnect event occurs, review the uacd.log file and search for a line that contains the following sub-string:
"processAuthEntryRequest: add failed new_id="

If this string is found, this will confirm that the Juniper SRX is receiving a duplicate auth table entry from the PPS appliance.

Solution
The most common use case where duplicate auth table entries can occur is documented below:

1.  If 802.1X authentication is being used in the environment AND neither the Pulse Desktop Client or the OAC client are in use, the PPS appliance will have no way to identify the endpoint's IP address.  This can be solved by one of the following:
     a).  RADIUS Accounting Start or Interim messages can be sent from the NAS device (Switch or wireless access point) that contains the IP address of the connected endpoint.
     b)  IF-MAP is in use by a DHCP server.  This will allow the IP ADDRESS <> MAC ADDRESS linkage to be published.  The IP address is then provided to the IF-MAP Client where the user signs in.

In either use case, it is critical that when an endpoint disconnects from the network, the session is removed from the PPS appliance.  This can be accomplished by either sending an Accounting STOP message for the session OR by the IF-MAP client (DHCP) server deleting the entry on the IF-MAP server.  If neither happens, then a stale session is left on the active user table and will not age out until the role timer is reached for that session.

To help troubleshoot this, please be prepared to provide a set of logs from both the Juniper SRX as well as the PPS appliance.

Logs to collect:
  1. Event logs showing at least two (2) disconnect and reconnect events.  The event logs will need to have the "Enforcer Command Trace" setting enabled in order to record the communication between the PPS appliance and the Juniper SRX firewall.
  2. User Access logs spanning the same time as the event logs.  The support engineer will need this data in order to determine WHY the PPS appliance is sending the duplcate entry.
  3. The uacd.log from the Juniper SRX firewall.
Lastly, it is advised to have the times be synchronized between the Juniper SRX firewall and the PPS appliance.  This will ensure that the data can be correlated easily.
Related Links
Attachment 1 
Created ByCraig Brauckmiller

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255