cancel
Showing results for 
Search instead for 
Did you mean: 

EPCheck.log says "ok", IVE boots the user out anyway..

Contributor

EPCheck.log says "ok", IVE boots the user out anyway..

Hi, I'm having a repeating issue with the host checker on different client sites, I've identified it on 5.5 and 6.0r3.1, I've tried creating a TAC case but having no luck as the issue is so random..

Bascially, what I am seeing is this:

  1. User logs in, having passed host checks.
  2. NC/whatever starts and user begins working
  3. EPCheck.log shows the periodic end-point re-scans happening, the test passsing and it transmitting the results back to the IVE
  4. However, what does happen is that after a random period (usually after the first refresh) the IVE either doesn't get or fails to process the status update and boots the user out with a client-side inactivity timeout

Has anyone else seen this? I notice referenses to "fixed an issue with host checker" in the 6.0r5 release notes, but doesn't say what!

Any suggestions?

Thanks

Kendal

15 REPLIES 15
Contributor

Re: EPCheck.log says "ok", IVE boots the user out anyway..

Hi, just for clarfication the log entry I see is:

AUT22927 2008-07-08 10:21:53 - ive - <SNIP> - System process detected a Host Checker time out on host 111.111.111.111 for user 'auser'(last update at 2008-07-08 10.02.42 +0100 BST).

Thanks!

Contributor

Re: EPCheck.log says "ok", IVE boots the user out anyway..

I've got the same issue. I've temporarily fixed this by disabling HostChecker policy re-evaluation by changing "Perform check every:" to 0. I've got an open JTAC case on this because I'm having a difficult time duplicating it in my lab. My EPCheck.Log is fine. My problem is seen in dsHostChecker.log pretty clearly (must enable HostChecker logging).

It does this until it gives up and the user is booted.


2008/05/27 09:57:40.888 dsHostChecker: tFFC "DebugId" 'CHttpNAR::WaitForNetwork()' [Debug] CHttpNAR::WaitForNetwork(): HTTP_RETRY, Network problem, retry in 15 seconds

2008/05/27 09:57:55.872 dsHostChecker: tFFC "DebugId" 'sendTncOverHttp()' [Debug] sendTncOverHttp(): session cookie DSSIGNIN=url_25; path=/dana-na/hc/tnchcupdate.cgi; secure;

/SNIP/

2008/05/27 09:58:16.943 dsHostChecker: tFFC "DebugId" 'CHttpNAR::WaitForNetwork()' [Debug] CHttpNAR::WaitForNetwork(): HTTP_RETRY, Network problem, retry in 15 seconds

Contributor

Re: EPCheck.log says "ok", IVE boots the user out anyway..

Hi Kevin,

I don't think we have the same problem but I'm pretty sure that I've seen this before too! In my case, my epcheck.log looks healthy, even after repeated checks but the user access log doesn't report the update.

In your case, I think you're running something pre- 6.0r3.1; Basically the host checker fails to correctly interpret the browser proxy settings and get stucks in loop trying to transmit its update back to the IVE. Try upgrading to see if it goes away..

HTH

Kendal

Message Edited by KendalBeefcake on 07-09-2008 08:56 AM
Contributor

Re: EPCheck.log says "ok", IVE boots the user out anyway..

I'm running 6.0R5. You may be right about it being different, but it sure sounds identical.

My epcheck.log shows no problems, user booted off NC, the following in the IVE log -

Info AUT22927 2008-05-19 15:17:39 - ive - [1.1.1.1] domain\user(Network Connect)[Network Connect - Autolaunch] - System process detected a Host Checker time out on host 1.1.1.1 for user 'domain\user' (last update at 2008-05-19 14.38.38 -0400 EDT).

The only difference I see is that my problem appears in dshostchecker.log, and that I can get around it by turning off policy re-evaluation. This is what I see in dshostchecker.log

2008/05/27 10:02:29.109 dsHostChecker: tFFC "DebugId" 'CHttpNAR::run()' [Debug] CHttpNAR::run(): Error 1 sending HTTP payload. Host Checker quitting...

When I set "Perform check every" to 0 (which disables periodic re-evaluation of compliance), my users are fine.

I've had several JTAC cases on this for several months, uploaded hundreds of megs of snapshots, etc.

Occasional Contributor

Re: EPCheck.log says "ok", IVE boots the user out anyway..

Hi All,

Do you still have the same problem ? I have the same problem on 6.1r4, and I have a SA6000 cluster (two boxes).

I'm trying to follow the same steps like you, just wondering if someone knows the answer to this problem. I didn't tried to put recheck to 0 yet.

Thanks a lot,

Martin

Highlighted
Contributor

Re: EPCheck.log says "ok", IVE boots the user out anyway..

Yes, unfortunately they haven't fixed it yet. I'm on 6.1R5 and the problem is in that version too.

I've had an open case with JTAC, but it takes sooooooo long to get the data they want. If only we got paid to upload system snapshots to Juniper, we'd all be RICH!

I've simply disabled the recheck (by setting Perform check every to 0). That doesn't make my security folks happy, but until Juniper fixes this there isn't much that can be done.

Occasional Contributor

Re: EPCheck.log says "ok", IVE boots the user out anyway..

Hi Thanks a lot for your answer, you save me a lot of time of bul.... with support !:smileywink:

Anyway, I will open a ticket by my side, just to make some pressure on them to have a real solution.

For the moment I will put my recheck also in 0, of course also my security team will be not happy, but users are first.

Thanks again,

Martin

Not applicable

Re: EPCheck.log says "ok", IVE boots the user out anyway..

I just upgraded to 6.3R3 today and I still see this problem. I initally thought it was corrected since no one in my test group reported it. But now that the whole user community is in on the new release and the problem resurfaced. It turns out that the complaints are coming from users with company supplied devices (which have Internet access passed through proxy settings).

Maybe one day this can be corrected.

New Contributor

Re: EPCheck.log says "ok", IVE boots the user out anyway..

I am having a very similar issue.... running 6.0R with ESAP 1.33. Opened up a case, and they seem to think that some modules aren't loading properly and causing issues......however, they completed missed that the host checker was completing successfully, but the IVE wasn't getting a response and there were HTTP errors like Kevin was experiencing. Not to mention my laptop gets the same "module not found" message in the dshostchecker log, but I have never had this issue.

Thinking about proxy settings further, I always use the "use proxy server for all protocols" on my laptop. I never have a problem with being kicked out as a result of a host checker time out, and I get those BS "modeules failed to load" messages in my dshostchecker log. Most of my users have it set so they use a proxy for HTTP, HTTPS, and FTP, but not socks. How is everyone else's proxy settings configured? Perhaps I'm just barking up the wrong tree, but I thought it might be working asking.