Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Login Rejected IP address blocked

MarcL_
New Contributor
‎04-26-2012 01:18:AM
‎04-26-2012 01:18:AM

Login Rejected IP address blocked

Hi,

Since a few days i can see a lot of log entries about rejected logins on our SA cluster like these (all external attempts):

AUT21052 2012-04-26 00:41:06 - SA - [1.2.3.4] System(no)[] - Login rejected from IP 1.2.3.4 for /no. IP address is blocked.


AUT21052 2012-04-26 00:41:06 - SA - [1.2.3.4] " probe="probe6eab4f987cb80000030c(no)[] - Login rejected from IP 1.2.3.4 for " probe="probe6eab4f987cb80000030c/no. IP address is blocked.


I am correct if i say that the SA detected some kind of hack attempt in this failed login and blocked this IP address?

If so, how come i am seeing a lot of messages like these in a rather short period of time and all from the same IP address. If this IP would be blocked, shouldnt it be blocked before a login attempt?

Thanks for those who can shine a bit of light on this matter for me.

Regards,

Marc.

0 Kudos
Reply
3 REPLIES 3
zanyterp_
Respected Contributor
‎04-26-2012 05:21:PM
‎04-26-2012 05:21:PM

Re: Login Rejected IP address blocked

Not necessarily attempting to hack the system or under attack: if you are NATing inbound, all failed attempts count for the lockout timer; if some of your users are from the same location, they are (probably) NATed on that side and, again, you have the same shared count.

The block does not prevent the login page from being showed; it only prevents successful login.
0 Kudos
Reply
AJA_
Frequent Contributor
‎04-29-2012 07:07:PM
‎04-29-2012 07:07:PM

Re: Login Rejected IP address blocked

Marc,

 

From what I understand - this looks like somebody is trying to login to your device and the SA is blocking the same. If the IP address is unknown, please set an ACL to block the traffic on your firewall upstream before a request can hit the SA which should solve this problem.

 

However, you could also open a JTAC ticket and give all the logs to them to get more clarity on the same.

 

 

0 Kudos
Reply
zanyterp_
Respected Contributor
‎05-02-2012 09:44:PM
‎05-02-2012 09:44:PM

Re: Login Rejected IP address blocked

As a caveat, blocking access to a specific IP may prevent legit users (depending on our NAT policies)

0 Kudos
Reply
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.