cancel
Showing results for 
Search instead for 
Did you mean: 

PSA3000 intermittent AD issues

SOLVED
New Contributor

PSA3000 intermittent AD issues

We utilize a PSA3000 VPN with AD and every month or two the box all the sudden stops authenticating Active Directory users and requires a hardware reboot of the PSA to restore function. This recently happened again this weekend with the log entries below. I don't know that its related, but it repeats those same 4 lines since the issue started. Running 8.3R7 code. Anyone know what could be causing this? We've been using this box a while, and my thinking is maybe the recent code upgrade from R4 back in Dec/Jan timeframe could be a potential culprit?

 

Info STS30667 2019-05-28 08:00:29 - ive - [127.0.0.1System()[] - Number of NCP connections: 2 Info STS20641 2019-05-28 08:00:28 - ive - [127.0.0.1System()[] - Number of concurrent users logged in to the device: 10

Major ADM20652 2019-05-28 07:54:07 - ive - [127.0.0.1System()[] - NTP server 'XXXXXXXX' is unreachable or the symmetric key provided is incorrect.

Major ADM20652 2019-05-28 07:54:03 - ive - [127.0.0.1System()[] - NTP server 'XXXXXXXX' is unreachable or the symmetric key provided is incorrect.

4 REPLIES 4
Moderator

Re: PSA3000 intermittent AD issues

Time skew will cause problems with authentication. can you confirm that the firewall should be allowing that communication through? if you have a symmetric key for authentication, did that change?
is it possible it is related to the R4 upgrade? yes. do i think it is probable (based on experience)? no.
i would definitely recommend checking the communication with the NTP servers
Highlighted
Moderator
Moderator

Re: PSA3000 intermittent AD issues

@zanyterp is absolutely right about the time skew part. I have seen issues with AD authentication, when there is a time drift between AD and VPN server smaller as 5 minutes.

 

On the AD logs, we would see "Login_Failure" events recorded, however no pointers about the time drift.

New Contributor

Re: PSA3000 intermittent AD issues

Time was off by 6 minutes even though its supposedly using our Domain Controller for time. Corrected ti manually, and the box started authenticating properly again. I'll monitor over the next few weeks to see if the behavior creeps up again, but I think that solved the issue without a reboot, at least in the short term. Thanks!

Moderator

Re: PSA3000 intermittent AD issues

glad to hear both the time and login issues were corrected successfully; i hope all is continuing to be successful