Network Access Control

 View Only

  • 1.  SNAC (SEP 12.1) Client get disconnected

    Posted Aug 30, 2012 02:56 PM

    We are using a SNAC enforcer together with a 3 SEPM server setup for client management.

    Since 2 days now some of our clients are randomly disconnecting from the management server and placed in the guest vlan.

    Clients look like this:

    Assign VLAN SNAC_Guest to port because Host Integrity check is PASSED, profile check is ANY and EAP auth is PASSED.

    The VLAN rules are:

    Host authentication - User authentication - Policy check

    Passed - Passed - Ignored : VLAN default

    Failed - Passed - Ignored : VLAN quarantine

    Ignored - Ignored - Ignored : VLAN guest

    So its weird that a machine with HI and EAP passed get into the guest network right?

    The scm-server-0.log looks like this at the time of disconnection:

    2012-08-30 11:58:59.357 THREAD 29 SEVERE: Unexpected server error.
    com.sygate.scm.server.metadata.MetadataException: I/O Error: Connection reset
        at com.sygate.scm.server.metadata.MetadataManager.getLastestUsnForCollection(MetadataManager.java:171)
        at com.sygate.scm.server.configmanager.ConfigManager.getLatestUsnForCollection(ConfigManager.java:1930)
        at com.sygate.scm.server.task.SyncLuConfigTask.syncLuConfig(SyncLuConfigTask.java:55)
        at com.sygate.scm.server.task.SyncLuConfigTask.run(SyncLuConfigTask.java:34)
        at java.util.TimerThread.mainLoop(Timer.java:512)
        at java.util.TimerThread.run(Timer.java:462)
    Caused by: java.sql.SQLException: I/O Error: Connection reset
        at net.sourceforge.jtds.jdbc.TdsCore.executeSQL(TdsCore.java:1053)
        at net.sourceforge.jtds.jdbc.JtdsStatement.executeSQLQuery(JtdsStatement.java:465)
        at net.sourceforge.jtds.jdbc.JtdsStatement.executeQuery(JtdsStatement.java:1304)
        at org.apache.tomcat.dbcp.dbcp.DelegatingStatement.executeQuery(DelegatingStatement.java:208)
        at org.apache.tomcat.dbcp.dbcp.DelegatingStatement.executeQuery(DelegatingStatement.java:208)
        at com.sygate.scm.server.metadata.BaseMetadataCollection.getLastestUSN(BaseMetadataCollection.java:87)
        at com.sygate.scm.server.metadata.MetadataManager.getLastestUsnForCollection(MetadataManager.java:169)
        ... 5 more
    Caused by: java.net.SocketException: Connection reset
        at java.net.SocketInputStream.read(SocketInputStream.java:168)
        at java.io.DataInputStream.readFully(DataInputStream.java:178)
        at java.io.DataInputStream.readFully(DataInputStream.java:152)
        at net.sourceforge.jtds.jdbc.SharedSocket.readPacket(SharedSocket.java:846)
        at net.sourceforge.jtds.jdbc.SharedSocket.getNetPacket(SharedSocket.java:727)
        at net.sourceforge.jtds.jdbc.ResponseStream.getPacket(ResponseStream.java:466)
        at net.sourceforge.jtds.jdbc.ResponseStream.read(ResponseStream.java:103)
        at net.sourceforge.jtds.jdbc.ResponseStream.peek(ResponseStream.java:88)
        at net.sourceforge.jtds.jdbc.TdsCore.wait(TdsCore.java:3932)
        at net.sourceforge.jtds.jdbc.TdsCore.executeSQL(TdsCore.java:1046)
        ... 11 more
    com.sygate.scm.server.util.ServerException: Unexpected server error.
        at com.sygate.scm.server.configmanager.ConfigManager.getLatestUsnForCollection(ConfigManager.java:1932)
        at com.sygate.scm.server.task.SyncLuConfigTask.syncLuConfig(SyncLuConfigTask.java:55)
        at com.sygate.scm.server.task.SyncLuConfigTask.run(SyncLuConfigTask.java:34)
        at java.util.TimerThread.mainLoop(Timer.java:512)
        at java.util.TimerThread.run(Timer.java:462)
    Caused by: com.sygate.scm.server.metadata.MetadataException: I/O Error: Connection reset
        at com.sygate.scm.server.metadata.MetadataManager.getLastestUsnForCollection(MetadataManager.java:171)
        at com.sygate.scm.server.configmanager.ConfigManager.getLatestUsnForCollection(ConfigManager.java:1930)
        ... 4 more
    Caused by: java.sql.SQLException: I/O Error: Connection reset
        at net.sourceforge.jtds.jdbc.TdsCore.executeSQL(TdsCore.java:1053)
        at net.sourceforge.jtds.jdbc.JtdsStatement.executeSQLQuery(JtdsStatement.java:465)
        at net.sourceforge.jtds.jdbc.JtdsStatement.executeQuery(JtdsStatement.java:1304)
        at org.apache.tomcat.dbcp.dbcp.DelegatingStatement.executeQuery(DelegatingStatement.java:208)
        at org.apache.tomcat.dbcp.dbcp.DelegatingStatement.executeQuery(DelegatingStatement.java:208)
        at com.sygate.scm.server.metadata.BaseMetadataCollection.getLastestUSN(BaseMetadataCollection.java:87)
        at com.sygate.scm.server.metadata.MetadataManager.getLastestUsnForCollection(MetadataManager.java:169)
        ... 5 more
    Caused by: java.net.SocketException: Connection reset
        at java.net.SocketInputStream.read(SocketInputStream.java:168)
        at java.io.DataInputStream.readFully(DataInputStream.java:178)
        at java.io.DataInputStream.readFully(DataInputStream.java:152)
        at net.sourceforge.jtds.jdbc.SharedSocket.readPacket(SharedSocket.java:846)
        at net.sourceforge.jtds.jdbc.SharedSocket.getNetPacket(SharedSocket.java:727)
        at net.sourceforge.jtds.jdbc.ResponseStream.getPacket(ResponseStream.java:466)
        at net.sourceforge.jtds.jdbc.ResponseStream.read(ResponseStream.java:103)
        at net.sourceforge.jtds.jdbc.ResponseStream.peek(ResponseStream.java:88)
        at net.sourceforge.jtds.jdbc.TdsCore.wait(TdsCore.java:3932)
        at net.sourceforge.jtds.jdbc.TdsCore.executeSQL(TdsCore.java:1046)
        ... 11 more
    2012-08-30 16:14:45.502 THREAD 26 WARNING: Log table switched to: AGENT_SYSTEM_LOG_1, old table estimated row count: 10064, to add row count in new table: 65, last switch time: 2012-08-30 12:37:49
    2012-08-30 17:43:28.911 THREAD 25 SEVERE: Broken content link detected! Skipping content: {CC40C428-1830-44ef-B8B2-920A0B761793} Revision: 120828005 Reference Type: ObjReference ID: F3B9FA3F580DCD7C6620D99B887A362E

    Any help is GREATLY appreciated!



  • 2.  RE: SNAC (SEP 12.1) Client get disconnected

    Posted Aug 31, 2012 04:46 AM

    Aug/31/2012 05:15:12  [  radproxy.c][ 4274]: Forward identity to x.x.x.252 with user host/PCNAME1.prd.domain from authenticator x.x.x.52! HI=14
    Aug/31/2012 05:15:12  [  radproxy.c][ 5819]: Get Start Packet id as 42
    Aug/31/2012 05:15:12  [  radproxy.c][ 5920]: New inner challenge format, in PEAP body.
    Aug/31/2012 05:15:12  [  radproxy.c][ 5986]: Send PEAP Challenge to user host/PCNAME1.prd.domain via switch x.x.x.52
    Aug/31/2012 05:15:12  [  radproxy.c][ 4693]: PEAP, start packet eap id is 42, current eap packet id 42
    Aug/31/2012 05:15:12  [  radproxy.c][ 4707]: Payload=133, EAP Length=137, eaphdr=4, Reply=52
    Aug/31/2012 05:15:12  [  radproxy.c][ 4859]: No LAN Enforcer reply header for user host/PCNAME1.prd.domain
    Aug/31/2012 05:15:12  [  radproxy.c][ 4933]: Forward packet from user host/PCNAME1.prd.domain via switch x.x.x.52 to RADIUS server x.x.x.252
    Aug/31/2012 05:15:12  [  radproxy.c][ 6055]: Simple Forward PEAP to user host/PCNAME1.prd.domain via switch x.x.x.52
    Aug/31/2012 05:15:12  [  radproxy.c][ 4693]: PEAP, start packet eap id is 42, current eap packet id 43
    Aug/31/2012 05:15:12  [  radproxy.c][ 4933]: Forward packet from user host/PCNAME1.prd.domain via switch x.x.x.52 to RADIUS server x.x.x.252
    Aug/31/2012 05:15:12  [  radproxy.c][ 4693]: PEAP, start packet eap id is 18, current eap packet id 19
    Aug/31/2012 05:15:12  [  radproxy.c][ 4933]: Forward packet from user host/PCNAME1.prd.domain via switch x.x.x.54 to RADIUS server x.x.x.252
    Aug/31/2012 05:15:12  [  radproxy.c][ 6055]: Simple Forward PEAP to user host/PCNAME1.prd.domain via switch x.x.x.52
    Aug/31/2012 05:15:12  [  radproxy.c][ 6055]: Simple Forward PEAP to user host/PCNAME1.prd.domain via switch x.x.x.54
    Aug/31/2012 05:15:12  [  radproxy.c][ 4693]: PEAP, start packet eap id is 42, current eap packet id 46
    Aug/31/2012 05:15:12  [  radproxy.c][ 4933]: Forward packet from user host/PCNAME1.prd.domain via switch x.x.x.52 to RADIUS server x.x.x.252
    Aug/31/2012 05:15:12  [  radproxy.c][ 4693]: PEAP, start packet eap id is 18, current eap packet id 22
    Aug/31/2012 05:15:12  [  radproxy.c][ 4933]: Forward packet from user host/PCNAME1.prd.domain via switch x.x.x.54 to RADIUS server x.x.x.252
    Aug/31/2012 05:15:12  [  radproxy.c][ 6342]: EAP Auth ACCEPT received from RADIUS x.x.x.252 for user host/PCNAME1.prd.domain.
    Aug/31/2012 05:15:12  [  radproxy.c][ 8291]: Action table rule order 2 matched! vlan_index=1, vlan_id=254
    Aug/31/2012 05:15:12  [  radproxy.c][ 8423]: Client[0002c641] host/PCNAME1.prd.domain, Status Received(HI:UNAVAILABLE, EAP:PASSED, PRO:DISABLED), UID is UNKNOWN, HI will be set to N/A, Enforcer matches(HI:ANY, EAP:ANY, PRO:ANY), switch VLAN SNAC_Guest on switch x.x.x.52.
     



  • 3.  RE: SNAC (SEP 12.1) Client get disconnected

    Posted Aug 31, 2012 06:18 AM

    While diving deeper into this problem, I found out that it could be due to our default management server list being poluted.

    It contains dns names without the suffix, these cannot be resolved by our enforcer and since it randomly chooses one server from the list for load balancing, it sometimes works, and sometimes doesnt. Resulting in clients being put in the guest vlan.



  • 4.  RE: SNAC (SEP 12.1) Client get disconnected

    Posted Sep 05, 2012 01:35 PM
      |   view attached

    Just as an FYI:

    IGNORE - INGORE - IGNORE = Allow all.  That means that if no other rules match, then this will be the default action.  I usuaully use that for testing purposes.  Out of the box, if a rule is not matched, the port is closed.

    I usually suggest to use all 27 rules, and no IGNORE rules, so all the bases are covered.  See attached.

    Glad you were able to get that working.

    Attachment(s)

    docx
    Switch_Policy_All_27.docx   51 KB 1 version