cancel
Showing results for 
Search instead for 
Did you mean: 

Connection between IC4500 and SRX3600 flapping

Highlighted
New Contributor

Connection between IC4500 and SRX3600 flapping

Hi experts,

Our company has an IC4500 for firewall user login authentication. Recently we found that the connection between IC4500 and our firewall SRX3600 sometimes flapped. It occurs about one a day. And every time when I restart the service on IC4500, it recovered.
And we found the log on SRX3600 like below:

Jul 27 13:22:05 HZ-SRX3600-1 uacd[1403]: Duplicate auth table entry from same source 10.40.4.19 with different ID
Jul 27 13:22:05 HZ-SRX3600-1 uacd[1403]: Infranet Controller 'UAC-01' is disconnected
Jul 27 13:22:05 HZ-SRX3600-1 uacd[1403]: Infranet Controller 'UAC-01' is connected
Jul 27 13:22:06 HZ-SRX3600-1 nsd[1414]: ROLE_CHANGE: IC has changed file "/var/db/uac.roles".
Jul 27 13:22:06 HZ-SRX3600-1 uacd[1403]: Duplicate auth table entry from same source 10.40.4.19 with different ID
Jul 27 13:22:06 HZ-SRX3600-1 uacd[1403]: Infranet Controller 'UAC-01' is disconnected
Jul 27 13:22:06 HZ-SRX3600-1 uacd[1403]: Infranet Controller 'UAC-01' is connected
Jul 27 13:22:06 HZ-SRX3600-1 nsd[1414]: ROLE_CHANGE: IC has changed file "/var/db/uac.roles".
Jul 27 13:22:07 HZ-SRX3600-1 uacd[1403]: Duplicate auth table entry from same source 10.40.4.19 with different ID
Jul 27 13:22:07 HZ-SRX3600-1 uacd[1403]: Infranet Controller 'UAC-01' is disconnected
Jul 27 13:22:07 HZ-SRX3600-1 uacd[1403]: Infranet Controller 'UAC-01' is connected
Jul 27 13:22:07 HZ-SRX3600-1 nsd[1414]: ROLE_CHANGE: IC has changed file "/var/db/uac.roles".

Log on IC4500 like below:

Major GWE24572 2015-07-27 13:22:42 - UAC01 - [127.0.0.1] System()[] - Lost connection to enforcer SRX3600-1(10.8.48.9).
Info GWE23603 2015-07-27 13:22:42 - UAC01 - [127.0.0.1] System()[] - Enforcer SRX3600-1(10.8.48.9) connected
Info GWE23595 2015-07-27 13:22:41 - UAC01 - [127.0.0.1] System()[] - Received enforcer connect message from SRX3600-1(10.8.48.9)
Info GWE24037 2015-07-27 13:22:41 - UAC01 - [127.0.0.1] System()[] - Enforcer SRX3600-1(10.8.48.9) disconnected.
Major GWE24572 2015-07-27 13:22:41 - UAC01 - [127.0.0.1] System()[] - Lost connection to enforcer SRX3600-1(10.8.48.9).
Info GWE23603 2015-07-27 13:22:41 - UAC01 - [127.0.0.1] System()[] - Enforcer SRX3600-1(10.8.48.9) connected
Info GWE23595 2015-07-27 13:22:40 - UAC01 - [127.0.0.1] System()[] - Received enforcer connect message from SRX3600-1(10.8.48.9)
Info GWE24037 2015-07-27 13:22:40 - UAC01 - [127.0.0.1] System()[] - Enforcer SRX3600-1(10.8.48.9) disconnected.
Major GWE24572 2015-07-27 13:22:40 - UAC01 - [127.0.0.1] System()[] - Lost connection to enforcer SRX3600-1(10.8.48.9).
Info GWE23603 2015-07-27 13:22:40 - UAC01 - [127.0.0.1] System()[] - Enforcer SRX3600-1(10.8.48.9) connected
Info GWE23595 2015-07-27 13:22:40 - UAC01 - [127.0.0.1] System()[] - Received enforcer connect message from SRX3600-1(10.8.48.9)
Info GWE24037 2015-07-27 13:22:40 - UAC01 - [127.0.0.1] System()[] - Enforcer SRX3600-1(10.8.48.9) disconnected.
Major GWE24572 2015-07-27 13:22:40 - UAC01 - [127.0.0.1] System()[] - Lost connection to enforcer SRX3600-1(10.8.48.9).

Our IC4500 version is 4.3R1 (build 19997), and SRX3600 junos version is 12.1X44-D40.2.
5 REPLIES 5
Highlighted
Moderator

Re: Connection between IC4500 and SRX3600 flapping

Is that a cluster?
You may want to look at asking in the IC forum as well as opening a case for further discussion.
Highlighted
New Contributor

Re: Connection between IC4500 and SRX3600 flapping

Hi,

Yes, it is a cluster.
Isn't here the forum of IC?
So what's address of IC forum?
Highlighted
Moderator

Re: Connection between IC4500 and SRX3600 flapping

This specific one is for the Pulse Connect Secure (previously SA/IVE); the Pulse Policy Secure (formerly IC/UAC) is at: https://forums.pulsesecure.net/topic/pulse-policy-secure.
Highlighted
Moderator

Re: Connection between IC4500 and SRX3600 flapping

Hello, the issue you are seeing is being caused by the IC4500 sending out a duplicate auth table entry to the SRX. The uacd process on the SRX is designed to catch this behavior and will attempt to reconcile the auth table between the SRX and the IC. The only way it can do so is by disconnecting and reconnecting to/from the IC.

You will need to file a case with our Global Support Center so that we can gather the necessary logging data to understand WHY the IC is sending a duplicate auth table to the SRX in the first place.

Thank you

Craig
Highlighted
Moderator

Re: Connection between IC4500 and SRX3600 flapping

Also, so save time on the troubleshooting, leave the uacd trace running on the SRX.
On the IC4500, under the Events Logging Settings, please enable the option for "Enforcer Command Trace" and save that setting.

You will need to wait for at least two disconnect cycles to occur. This way, we can capture the SRX reconnecting and all subsequent auth table updates sent to the SRX.

Along with the uacd trace log and the EVENTS log, we would also like to have the USER ACCESS log that shows the users logging in and out. You can simple use the SAVE ALL LOGS button on any of the logging screens and this will create a tar.gz file with the IC side data. This way, we can correlate the uacd trace error time stamp with that of he ICs logging and can then hopefully capture WHY the IC is sending a duplicate auth table entry.

If you have these logs ready at the time you create the case, it should greatly speed up the troubleshooting time.

Thanks

Craig