Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA ACE server comms are sourced from the cluster VIP, not the physical interface address

papageno_
Contributor
‎06-19-2014 05:50:AM
‎06-19-2014 05:50:AM

RSA ACE server comms are sourced from the cluster VIP, not the physical interface address

Has anyone seen an issue where an SA sources traffic to the RSA ACE auth server from its cluster VIP address and not the physical interface address?  A customer has a problem where this is happening and they are getting "node verification failed" because of it.

 

The history is that the RSA authentication was working previously, with the traffic sourced from the physical interface addresses.  However, they converted the internal interfaces to vlan-tagged, and set up a route to source the RSA server traffic from one of the VLAN interfaces.  Now the traffic is coming from the cluster VIP on the right VLAN, but not from the real member VLAN interface addresses.  Is this a known issue - I can't see it documented anywhere.

0 Kudos
2 REPLIES 2
kalagesan_
Super Contributor
‎06-22-2014 11:10:PM
‎06-22-2014 11:10:PM

Re: RSA ACE server comms are sourced from the cluster VIP, not the physical interface address

 

Hi ,

 

Check this KB links and see if iy helps

 

http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB28610&actp=search&viewlocale=en_US&sear...

 

http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB26789&actp=search&viewlocale=en_US&sear...

 

Regards,

Kannan

0 Kudos
papageno_
Contributor
‎06-23-2014 02:02:AM
‎06-23-2014 02:02:AM

Re: RSA ACE server comms are sourced from the cluster VIP, not the physical interface address

Hi Kannan

 

Thanks for the suggestions - we had already seen and tried both of these.

 

The problem I am describing is that we are unexpectedly seeing traffic sourced from the cluster VIP address on the VLAN and not from the VLAN interface on the active node.  This is not what the RSA server is expecting, as sdconf.rec is defined with both the node's VLAN interface addresses.

 

Time sync is not an issue.  Both the RSA server and the SA cluster are synced to the same NTP source.

 

Customer has deleted node secret on the RSA server several times, as well as deleting and re-creating the node definition.  Each time we create and import a new sdconf.rec, but the result is always the same.

 

As for KB26789, I am not sure how old this is, but it is just not possible to install two sdconf.rec files to a clustered IVE.  Maybe it once was, but it simply can't be done now.  In any case, we are following the method described in the Solution section to the letter. (By the way, has anyone got any idea what the graphic in KB26789 is there for???). 

 

We never get to see a node verification file, because the RSA server does not allow the SA to authenticate its first client.

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.