ScreenOS Firewalls (NOT SRX)
Reply
Contributor
Chuck
Posts: 32
Registered: ‎02-03-2009
0

Re: Webauth with RSA fails for a particular subnet

4846418.0: ethernet0/2(i) len=62:001c2338dbc1->0010dbff2060/0800
              161.101.150.102 -> 161.101.150.9/6
              vhl=45, tos=00, id=28538, frag=4000, ttl=128 tlen=48
              tcp:smileytongue:orts 1549->3389, seq=2915633343, ack=0, flag=7002/SYN
              00 10 db ff 20 60 00 1c 23 38 db c1 08 00 45 00     .....`..#8....E.
              00 30 6f 7a 40 00 80 06 1c 13 a1 65 96 66 a1 65     .0oz@......e.f.e
              96 09 06 0d 0d 3d ad c9 08 bf 00 00 00 00 70 02     .....=........p.
              ff ff 4a 12 00 00 02 04 05 b4 01 01 04 02           ..J........... 

****** 4846418.0: <Untrust/ethernet0/2> packet received [48]******
  ipid = 28538(6f7a), @1d5aa914
  packet passed sanity check.
  ethernet0/2:161.101.150.102/1549->161.101.150.9/3389,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/2>, out <N/A>
  chose interface ethernet0/2 as incoming nat if.
  flow_first_routing: in <ethernet0/2>, out <N/A>
  search route to (ethernet0/2, 161.101.150.102->10.10.10.2) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 3.route 10.10.10.2->10.10.10.2, to ethernet0/1
  routed (x_dst_ip 10.10.10.2) from ethernet0/2 (ethernet0/2 in 0) to ethernet0/1
  policy search from zone 1-> zone 3
 policy_flow_search  policy search nat_crt from zone 1-> zone 10
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 161.101.150.9, port 3389, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 50/1/0x2d
  Permitted by policy 50
  No src xlate   choose interface ethernet0/1 as outgoing phy if
  check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet0/1
  no loop on ifp ethernet0/1.
  session application type 0, name None, nas_id 0, timeout 1800sec
  Drop non-syn/tcp/tel/ftp/web pak in auth check
  log this session (pid=50)
policy id (50)
  packet dropped, denied by policy
  packet dropped, auth failed

 

Please see the snoop output as well

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008
0

Re: Webauth with RSA fails for a particular subnet

Hmm, so for this user, looks like the authentication did not pass successfully.

 

Can you check the auth table for this user?

EG: get auth table

 

If its authenticated properly but the page is not loading then there may be some issue. But if the authentication failed then the following will help to find out why there was an issue with the auth. Run "debug auth all" or "debug auth basic" together with the "debug flow basic".

 

 

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Contributor
Chuck
Posts: 32
Registered: ‎02-03-2009
0

Re: Webauth with RSA fails for a particular subnet

I checked the Auth table and found that the user is authenticating Succesfully. neverthelesss I did s debug auth and found no problems. JTAC also is completely baffled. Wretched things have tried everything. Me too have tried everything.

 

Thanks for all your feedback. are there any other suggestions?

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008
0

Re: Webauth with RSA fails for a particular subnet

hmm only thing i can think of is if there is another entry in the auth table already for that user?
****pls click the button " Accept as Solution" if my post helped to solve your problem****
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.