SSL VPN
Reply
Visitor
MarcL
Posts: 8
Registered: ‎02-04-2009
0

Login Rejected IP address blocked

Hi,

 

Since a few days i can see a lot of log entries about rejected logins on our SA cluster like these (all external attempts):

 

AUT21052 2012-04-26 00:41:06 - SA - [1.2.3.4] System(no)[] - Login rejected from IP 1.2.3.4 for /no. IP address is blocked.


AUT21052 2012-04-26 00:41:06 - SA - [1.2.3.4] " probe="probe6eab4f987cb80000030c(no)[] - Login rejected from IP 1.2.3.4 for " probe="probe6eab4f987cb80000030c/no. IP address is blocked.


 

I am correct if i say that the SA detected some kind of hack attempt in this failed login and blocked this IP address?

 

If so, how come i am seeing a lot of messages like these in a rather short period of time and all from the same IP address. If this IP would be blocked, shouldnt it be blocked before a login attempt?

 

Thanks for those who can shine a bit of light on this matter for me.

 

Regards,

 

Marc.

Moderator
zanyterp
Posts: 2,306
Registered: ‎11-19-2007
0

Re: Login Rejected IP address blocked

Not necessarily attempting to hack the system or under attack: if you are NATing inbound, all failed attempts count for the lockout timer; if some of your users are from the same location, they are (probably) NATed on that side and, again, you have the same shared count.

The block does not prevent the login page from being showed; it only prevents successful login.
Moderator Moderator
Moderator
AJA
Posts: 130
Registered: ‎05-07-2010
0

Re: Login Rejected IP address blocked

Marc,

 

From what I understand - this looks like somebody is trying to login to your device and the SA is blocking the same. If the IP address is unknown, please set an ACL to block the traffic on your firewall upstream before a request can hit the SA which should solve this problem.

 

However, you could also open a JTAC ticket and give all the logs to them to get more clarity on the same.

 

 

Moderator
zanyterp
Posts: 2,306
Registered: ‎11-19-2007
0

Re: Login Rejected IP address blocked

As a caveat, blocking access to a specific IP may prevent legit users (depending on our NAT policies)

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.