cancel
Showing results for 
Search instead for 
Did you mean: 

Odd disconnect/reconnect issue...

SOLVED
Highlighted
Occasional Contributor

Odd disconnect/reconnect issue...

I have an SA cluster setup as active/active on 5.5R1, all connectivity for users is ok, the general useage is network connect with some access filters applied.

Every now and then, users are disconnected, either for an idle time-out or host-checker timeout, when they reconnect they authenticate ok and then get the 'Existing Session Exists' page, so they click continue to kill their old session....but it fails and they have to try again. They then get stuck in this loop.

When we look on the admin of the SA, a lot of the time there is no existing session.

Now, I have noted that 'Persistent Sessions' are enabled, which could help this issue, as it'll kill the existing session quicker, but I don't think it's the cause....

Anyone had this or something similar? Maybe something to do with the laptop privileges? or security of the build?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Occasional Contributor

Re: Odd disconnect/reconnect issue...

Ok, I have nailed this down to a conflict between the role session timer/timeout and the HC/NC timeouts.

When the user has an ungraceful disconnect (power down/wifi out/battery out), the PC will have a session cookie valid until the idle timeout for the role (in this case 60 mins).

The HC is set to check every 10 mins and idle with no activity after 20. The Network Connect then drops after around 20 mins as the HC checks fail and NC has no traffic. The session is deleted from the IVE (you can tell by watching the Active Users/Logs).

At this point, if the user attempts to logon again, he gets the 'concurrent users' page and clicks 'continue' to kill the old session.

Here's the problem - for some reason (something to do with the session cookie) the user is denied logon, given a message telling them that a session is already on the IVE with it's IP address. Multiple attempts to re-connect get the same message until the 60 mins idle is up.

Bug or just an idle timer conflict?

Ways around it?

Cache Cleaner - would ensure the session is clean to start with? But is a global change and would affect the user experience.

Reduce the Session Idle timout, make it closer or equal to the HC inactivity timeout?

Turn off Persistent Sessions - would make sure the session is closed upon browser closure - but again, would affect the user experience....they use a custom home page so won't know that they're killing their session when closing the browser.

Your thoughts?

View solution in original post

7 REPLIES 7
Highlighted
Contributor

Re: Odd disconnect/reconnect issue...

Hi Joel,

How do you do to load balance session on your 2 SA.

- Load balancing with a third appliance ?

- 2 url with 2 differenents DNS hostname ?

Sylvain

Highlighted
Occasional Contributor

Re: Odd disconnect/reconnect issue...

Hi Sylvain,

The IVE Clustering uses a virtual IP address to load balance so no external load balancer is required. Once you cluster the IVE's together they will appear as a single system to users.

Highlighted
Occasional Contributor

Re: Odd disconnect/reconnect issue...

Looking at the release notes for 6.0 it seems like there are many timeout issues that have been fixed from 5.5 to 6.0.

http://www.juniper.net/techpubs/software/ive/6.x/6.0/

Is this problem happening across all of your users or just a select few? There were some known issues where a user with more than one browser logged into the IVE would cause session problems. From your description it sounds more like an internal issue in the IVE that an upgrade to 6.0 or 6.1 would address. You may want to open a case with the JTAC to confirm if this is a known issue before going down the upgrade path. Also, what type of authentication server are you using (RADIUS, LDAP, AD)?

Highlighted
Contributor

Re: Odd disconnect/reconnect issue...

Hi SkyWalker,

I m agree with you in a Active/Passive Case. But it seem it s an Active/Active case , i ve done this kind of config with a DX device in order to load balance session on 2 SA and it s work pretty well. I ask this question because some issue can sometime occurs if there is no sticky connection mecanism , i got this bad experience and ask myself if our friend don t have the same problem Smiley Surprised

Highlighted
New Contributor

Re: Odd disconnect/reconnect issue...

I have a similiar disconnect issue but I am not clustered. 6.1r2 sessions timing out after about 30 minutes. No clue why yet
Highlighted
Contributor

Re: Odd disconnect/reconnect issue...

I have been able to resolve this in the past by forcing a purge of all juniper temp files on the client side at login, seems to happen a lot after an upgrade or importing a config from back up.
Highlighted
Occasional Contributor

Re: Odd disconnect/reconnect issue...

Ok, I have nailed this down to a conflict between the role session timer/timeout and the HC/NC timeouts.

When the user has an ungraceful disconnect (power down/wifi out/battery out), the PC will have a session cookie valid until the idle timeout for the role (in this case 60 mins).

The HC is set to check every 10 mins and idle with no activity after 20. The Network Connect then drops after around 20 mins as the HC checks fail and NC has no traffic. The session is deleted from the IVE (you can tell by watching the Active Users/Logs).

At this point, if the user attempts to logon again, he gets the 'concurrent users' page and clicks 'continue' to kill the old session.

Here's the problem - for some reason (something to do with the session cookie) the user is denied logon, given a message telling them that a session is already on the IVE with it's IP address. Multiple attempts to re-connect get the same message until the 60 mins idle is up.

Bug or just an idle timer conflict?

Ways around it?

Cache Cleaner - would ensure the session is clean to start with? But is a global change and would affect the user experience.

Reduce the Session Idle timout, make it closer or equal to the HC inactivity timeout?

Turn off Persistent Sessions - would make sure the session is closed upon browser closure - but again, would affect the user experience....they use a custom home page so won't know that they're killing their session when closing the browser.

Your thoughts?

View solution in original post