Video Screencast Help

SNAC (SEP 12.1) Client get disconnected

Created: 30 Aug 2012 | 3 comments

We are using a SNAC enforcer together with a 3 SEPM server setup for client management.

Since 2 days now some of our clients are randomly disconnecting from the management server and placed in the guest vlan.

Clients look like this:

Assign VLAN SNAC_Guest to port because Host Integrity check is PASSED, profile check is ANY and EAP auth is PASSED.

The VLAN rules are:

Host authentication - User authentication - Policy check

Passed - Passed - Ignored : VLAN default

Failed - Passed - Ignored : VLAN quarantine

Ignored - Ignored - Ignored : VLAN guest

So its weird that a machine with HI and EAP passed get into the guest network right?

The scm-server-0.log looks like this at the time of disconnection:

2012-08-30 11:58:59.357 THREAD 29 SEVERE: Unexpected server error.
com.sygate.scm.server.metadata.MetadataException: I/O Error: Connection reset
    at com.sygate.scm.server.metadata.MetadataManager.getLastestUsnForCollection(MetadataManager.java:171)
    at com.sygate.scm.server.configmanager.ConfigManager.getLatestUsnForCollection(ConfigManager.java:1930)
    at com.sygate.scm.server.task.SyncLuConfigTask.syncLuConfig(SyncLuConfigTask.java:55)
    at com.sygate.scm.server.task.SyncLuConfigTask.run(SyncLuConfigTask.java:34)
    at java.util.TimerThread.mainLoop(Timer.java:512)
    at java.util.TimerThread.run(Timer.java:462)
Caused by: java.sql.SQLException: I/O Error: Connection reset
    at net.sourceforge.jtds.jdbc.TdsCore.executeSQL(TdsCore.java:1053)
    at net.sourceforge.jtds.jdbc.JtdsStatement.executeSQLQuery(JtdsStatement.java:465)
    at net.sourceforge.jtds.jdbc.JtdsStatement.executeQuery(JtdsStatement.java:1304)
    at org.apache.tomcat.dbcp.dbcp.DelegatingStatement.executeQuery(DelegatingStatement.java:208)
    at org.apache.tomcat.dbcp.dbcp.DelegatingStatement.executeQuery(DelegatingStatement.java:208)
    at com.sygate.scm.server.metadata.BaseMetadataCollection.getLastestUSN(BaseMetadataCollection.java:87)
    at com.sygate.scm.server.metadata.MetadataManager.getLastestUsnForCollection(MetadataManager.java:169)
    ... 5 more
Caused by: java.net.SocketException: Connection reset
    at java.net.SocketInputStream.read(SocketInputStream.java:168)
    at java.io.DataInputStream.readFully(DataInputStream.java:178)
    at java.io.DataInputStream.readFully(DataInputStream.java:152)
    at net.sourceforge.jtds.jdbc.SharedSocket.readPacket(SharedSocket.java:846)
    at net.sourceforge.jtds.jdbc.SharedSocket.getNetPacket(SharedSocket.java:727)
    at net.sourceforge.jtds.jdbc.ResponseStream.getPacket(ResponseStream.java:466)
    at net.sourceforge.jtds.jdbc.ResponseStream.read(ResponseStream.java:103)
    at net.sourceforge.jtds.jdbc.ResponseStream.peek(ResponseStream.java:88)
    at net.sourceforge.jtds.jdbc.TdsCore.wait(TdsCore.java:3932)
    at net.sourceforge.jtds.jdbc.TdsCore.executeSQL(TdsCore.java:1046)
    ... 11 more
com.sygate.scm.server.util.ServerException: Unexpected server error.
    at com.sygate.scm.server.configmanager.ConfigManager.getLatestUsnForCollection(ConfigManager.java:1932)
    at com.sygate.scm.server.task.SyncLuConfigTask.syncLuConfig(SyncLuConfigTask.java:55)
    at com.sygate.scm.server.task.SyncLuConfigTask.run(SyncLuConfigTask.java:34)
    at java.util.TimerThread.mainLoop(Timer.java:512)
    at java.util.TimerThread.run(Timer.java:462)
Caused by: com.sygate.scm.server.metadata.MetadataException: I/O Error: Connection reset
    at com.sygate.scm.server.metadata.MetadataManager.getLastestUsnForCollection(MetadataManager.java:171)
    at com.sygate.scm.server.configmanager.ConfigManager.getLatestUsnForCollection(ConfigManager.java:1930)
    ... 4 more
Caused by: java.sql.SQLException: I/O Error: Connection reset
    at net.sourceforge.jtds.jdbc.TdsCore.executeSQL(TdsCore.java:1053)
    at net.sourceforge.jtds.jdbc.JtdsStatement.executeSQLQuery(JtdsStatement.java:465)
    at net.sourceforge.jtds.jdbc.JtdsStatement.executeQuery(JtdsStatement.java:1304)
    at org.apache.tomcat.dbcp.dbcp.DelegatingStatement.executeQuery(DelegatingStatement.java:208)
    at org.apache.tomcat.dbcp.dbcp.DelegatingStatement.executeQuery(DelegatingStatement.java:208)
    at com.sygate.scm.server.metadata.BaseMetadataCollection.getLastestUSN(BaseMetadataCollection.java:87)
    at com.sygate.scm.server.metadata.MetadataManager.getLastestUsnForCollection(MetadataManager.java:169)
    ... 5 more
Caused by: java.net.SocketException: Connection reset
    at java.net.SocketInputStream.read(SocketInputStream.java:168)
    at java.io.DataInputStream.readFully(DataInputStream.java:178)
    at java.io.DataInputStream.readFully(DataInputStream.java:152)
    at net.sourceforge.jtds.jdbc.SharedSocket.readPacket(SharedSocket.java:846)
    at net.sourceforge.jtds.jdbc.SharedSocket.getNetPacket(SharedSocket.java:727)
    at net.sourceforge.jtds.jdbc.ResponseStream.getPacket(ResponseStream.java:466)
    at net.sourceforge.jtds.jdbc.ResponseStream.read(ResponseStream.java:103)
    at net.sourceforge.jtds.jdbc.ResponseStream.peek(ResponseStream.java:88)
    at net.sourceforge.jtds.jdbc.TdsCore.wait(TdsCore.java:3932)
    at net.sourceforge.jtds.jdbc.TdsCore.executeSQL(TdsCore.java:1046)
    ... 11 more
2012-08-30 16:14:45.502 THREAD 26 WARNING: Log table switched to: AGENT_SYSTEM_LOG_1, old table estimated row count: 10064, to add row count in new table: 65, last switch time: 2012-08-30 12:37:49
2012-08-30 17:43:28.911 THREAD 25 SEVERE: Broken content link detected! Skipping content: {CC40C428-1830-44ef-B8B2-920A0B761793} Revision: 120828005 Reference Type: ObjReference ID: F3B9FA3F580DCD7C6620D99B887A362E

Any help is GREATLY appreciated!

Discussion Filed Under:

Comments 3 CommentsJump to latest comment

schaijik's picture

Aug/31/2012 05:15:12  [  radproxy.c][ 4274]: Forward identity to x.x.x.252 with user host/PCNAME1.prd.domain from authenticator x.x.x.52! HI=14
Aug/31/2012 05:15:12  [  radproxy.c][ 5819]: Get Start Packet id as 42
Aug/31/2012 05:15:12  [  radproxy.c][ 5920]: New inner challenge format, in PEAP body.
Aug/31/2012 05:15:12  [  radproxy.c][ 5986]: Send PEAP Challenge to user host/PCNAME1.prd.domain via switch x.x.x.52
Aug/31/2012 05:15:12  [  radproxy.c][ 4693]: PEAP, start packet eap id is 42, current eap packet id 42
Aug/31/2012 05:15:12  [  radproxy.c][ 4707]: Payload=133, EAP Length=137, eaphdr=4, Reply=52
Aug/31/2012 05:15:12  [  radproxy.c][ 4859]: No LAN Enforcer reply header for user host/PCNAME1.prd.domain
Aug/31/2012 05:15:12  [  radproxy.c][ 4933]: Forward packet from user host/PCNAME1.prd.domain via switch x.x.x.52 to RADIUS server x.x.x.252
Aug/31/2012 05:15:12  [  radproxy.c][ 6055]: Simple Forward PEAP to user host/PCNAME1.prd.domain via switch x.x.x.52
Aug/31/2012 05:15:12  [  radproxy.c][ 4693]: PEAP, start packet eap id is 42, current eap packet id 43
Aug/31/2012 05:15:12  [  radproxy.c][ 4933]: Forward packet from user host/PCNAME1.prd.domain via switch x.x.x.52 to RADIUS server x.x.x.252
Aug/31/2012 05:15:12  [  radproxy.c][ 4693]: PEAP, start packet eap id is 18, current eap packet id 19
Aug/31/2012 05:15:12  [  radproxy.c][ 4933]: Forward packet from user host/PCNAME1.prd.domain via switch x.x.x.54 to RADIUS server x.x.x.252
Aug/31/2012 05:15:12  [  radproxy.c][ 6055]: Simple Forward PEAP to user host/PCNAME1.prd.domain via switch x.x.x.52
Aug/31/2012 05:15:12  [  radproxy.c][ 6055]: Simple Forward PEAP to user host/PCNAME1.prd.domain via switch x.x.x.54
Aug/31/2012 05:15:12  [  radproxy.c][ 4693]: PEAP, start packet eap id is 42, current eap packet id 46
Aug/31/2012 05:15:12  [  radproxy.c][ 4933]: Forward packet from user host/PCNAME1.prd.domain via switch x.x.x.52 to RADIUS server x.x.x.252
Aug/31/2012 05:15:12  [  radproxy.c][ 4693]: PEAP, start packet eap id is 18, current eap packet id 22
Aug/31/2012 05:15:12  [  radproxy.c][ 4933]: Forward packet from user host/PCNAME1.prd.domain via switch x.x.x.54 to RADIUS server x.x.x.252
Aug/31/2012 05:15:12  [  radproxy.c][ 6342]: EAP Auth ACCEPT received from RADIUS x.x.x.252 for user host/PCNAME1.prd.domain.
Aug/31/2012 05:15:12  [  radproxy.c][ 8291]: Action table rule order 2 matched! vlan_index=1, vlan_id=254
Aug/31/2012 05:15:12  [  radproxy.c][ 8423]: Client[0002c641] host/PCNAME1.prd.domain, Status Received(HI:UNAVAILABLE, EAP:PASSED, PRO:DISABLED), UID is UNKNOWN, HI will be set to N/A, Enforcer matches(HI:ANY, EAP:ANY, PRO:ANY), switch VLAN SNAC_Guest on switch x.x.x.52.
 

schaijik's picture

While diving deeper into this problem, I found out that it could be due to our default management server list being poluted.

It contains dns names without the suffix, these cannot be resolved by our enforcer and since it randomly chooses one server from the list for load balancing, it sometimes works, and sometimes doesnt. Resulting in clients being put in the guest vlan.

Chuck Edson's picture

Just as an FYI:

IGNORE - INGORE - IGNORE = Allow all.  That means that if no other rules match, then this will be the default action.  I usuaully use that for testing purposes.  Out of the box, if a rule is not matched, the port is closed.

I usually suggest to use all 27 rules, and no IGNORE rules, so all the bases are covered.  See attached.

Glad you were able to get that working.

AttachmentSize
Switch_Policy_All_27.docx 51.64 KB

If a post helps you, please mark it as the solution to your issue.