[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Session authentication alert/error
Jim, I'll take a stab at it. Yes it might be a licensing issue. If you clear the $FWDIR/database/fwd.hosts and it worked, my guess is that you had exceeded your licensing of 50 or 80 users. Look in /var/adm/messages for any indications of this. I do not know how CP handles the expiring of multiple licenses, when one is an eval and one is permanent/timed? How old is the 30 day license? If there aren't any clear indicators of license violations, write back to the list and include your network layout, which interface(s) is/are licensed and any other messages found above, which may help explain what's going on. Robert - - Robert P. MacDonald, Network Engineer e-Business Infrastructure G o r d o n F o o d S e r v i c e Voice:email: [email protected] >>> Jim Robinson <[email protected]> 9/29/00 12:51:33 AM >>> > >I have a problem and was wondering if someone could help me out. I have a CP >4.1 NT box with a perm 50 user lic and a temp (30 day) unlimited lic. >Everything was working fine until last week or so when several users could >not access http from the internet. Upon inspection i found that the sesson >auth agent was failing to validate fw-1 user id's that had a specified >"from" and "to" network. A temporary solution seemed to be deleting the >fwd.hosts file. Everything worked for about a day and then it blew up again. >Fw-1 users that did not have a "from" or "to" net defined (ie any, any) were >unaffected and are allowed to all urls's. > >My rule looks like this. ># SRC DST SERVICE Action >19 all users@any any http https pop-3 ftp session auth > >Session auth properties are: >Src. intersect with user DB >Dest. intersect with user DB >Contact agent at . SRC >No policy server > > >The alerts im getting when a user fails to connect with the session agent >is: >Rule 19 Connection to session agent failed, and >User is not in the right group > >For example i have 2 users: >admin src: any dst: any >user1 src: valid_nets dst: .americanexpress.com .epx.com > >Could this be a licensing issue? >Why is the admin user unaffected by this? ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|