AD users not able to connect to SSL_VPN, Local users connect correctly. Auth Method set correctly.
Freshman Member
Hi all, I have checked through the form but nothing has seemed to explain what is going wrong. Here is the log to start:
[ 2018/11/19 12:45:12 ][SecuExtender Agent][DETAIL] Build Datetime: Dec 22 2016/15:25:36<br>[ 2018/11/19 12:45:12 ][SecuExtender Agent][DEBUG] SecuExtender.log: C:\Users\%Username%\SecuExtender.log<br>[ 2018/11/19 12:45:12 ][SecuExtender Agent][DEBUG] osvi.dwPlatformId = 2, osvi.dwMajorVersion = 6, osvi.dwMinorVersion = 2<br>[ 2018/11/19 12:45:12 ][SecuExtender Agent][DEBUG] interface guid: {F90AB50A-709D-44E6-A0AE-229DEA5DAC8F}, idx: 2<br>[ 2018/11/19 12:45:12 ][SecuExtender Agent][DEBUG] tBuf : (\DEVICE\TCPIP_{F90AB50A-709D-44E6-A0AE-229DEA5DAC8F})<br>[ 2018/11/19 12:45:12 ][SecuExtender Agent][DEBUG] network name got, idx: 18<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][DETAIL] Checking service (first) ...<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][DETAIL] SecuExtender Helper is running<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][DETAIL] Try to connect to SecuExtender Helper<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][DETAIL] SecuExtender Helper is connected<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][INFO] [ThyTech] try to login ***.***.***.***:443<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][INFO] Connect to ********:443<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][INFO] Local address is *********<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][DEBUG] Connect success.<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][DETAIL] Handshake LoopCounter: 0<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][DETAIL] 1271 bytes of handshake data received<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][DETAIL] InitializeSecurityContext returns 0x90312<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][DETAIL] Send 126 bytes of handshake data<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][DETAIL] Handshake LoopCounter: 1<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][DETAIL] 258 bytes of handshake data received<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][DETAIL] InitializeSecurityContext returns 0x0<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][DETAIL] SSL Handshake is successful<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][DETAIL] STREAM_SIZE: Header: 13 Trailer: 16, MaxMessage: 16384<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][DETAIL] Protocol: TLS1.2<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][DETAIL] Cipher: AES256<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][DETAIL] Cipher strength: 256<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][DETAIL] Hash: SHA384<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][DETAIL] Hash strength: 0<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][DETAIL] Key exchange: 0xae06<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][DETAIL] Key exchange strength: 256<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][INFO] Server subject: CN=usg40_*******<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][INFO] Server issuer: CN=usg40_********<br>[ 2018/11/19 12:45:39 ][SecuExtender Agent][ERROR] **** Error 0x800b0109 authenticating server credentials! (0x0)<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][DETAIL] SSL session is created<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][DEBUG] SSL Connection is going to be closed<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][INFO] user login device success<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][INFO] Creating secure tunnel to ***.***.***.***:443<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][INFO] Connect to ********:443<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][INFO] Local address is ********<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][DEBUG] Connect success.<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][DETAIL] Handshake LoopCounter: 0<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][DETAIL] 1271 bytes of handshake data received<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][DETAIL] InitializeSecurityContext returns 0x90312<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][DETAIL] Send 126 bytes of handshake data<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][DETAIL] Handshake LoopCounter: 1<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][DETAIL] 258 bytes of handshake data received<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][DETAIL] InitializeSecurityContext returns 0x0<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][DETAIL] SSL Handshake is successful<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][DETAIL] STREAM_SIZE: Header: 13 Trailer: 16, MaxMessage: 16384<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][DETAIL] Secure session is created<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][DETAIL] Secure session negotiation begin<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][DETAIL] stage 1...done<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][DETAIL] stage 2...done<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][WARN] The device is going to close the connection.<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][ERROR] stage 3...failed (0x0)<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][ERROR] Failed to create security tunnel (0x0)<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][DEBUG] SSL Connection is going to be closed<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][INFO] Connect to ********:443<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][INFO] Local address is ********<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][DEBUG] Connect success.<br>[ 2018/11/19 12:45:40 ][SecuExtender Agent][DETAIL] Handshake LoopCounter: 0<br>[ 2018/11/19 12:45:41 ][SecuExtender Agent][DETAIL] 1271 bytes of handshake data received<br>[ 2018/11/19 12:45:41 ][SecuExtender Agent][DETAIL] InitializeSecurityContext returns 0x90312<br>[ 2018/11/19 12:45:41 ][SecuExtender Agent][DETAIL] Send 126 bytes of handshake data<br>[ 2018/11/19 12:45:41 ][SecuExtender Agent][DETAIL] Handshake LoopCounter: 1<br>[ 2018/11/19 12:45:41 ][SecuExtender Agent][DETAIL] 258 bytes of handshake data received<br>[ 2018/11/19 12:45:41 ][SecuExtender Agent][DETAIL] InitializeSecurityContext returns 0x0<br>[ 2018/11/19 12:45:41 ][SecuExtender Agent][DETAIL] SSL Handshake is successful<br>[ 2018/11/19 12:45:41 ][SecuExtender Agent][DETAIL] STREAM_SIZE: Header: 13 Trailer: 16, MaxMessage: 16384<br>[ 2018/11/19 12:45:41 ][SecuExtender Agent][INFO] logout message has sent<br>[ 2018/11/19 12:45:41 ][SecuExtender Agent][DEBUG] SSL Connection is going to be closed<br>[ 2018/11/19 12:45:41 ][SecuExtender Agent][DETAIL] Connection ends.This just occurs with AD Users which validate properly within the GUI. Local users connect normally without issue.
Auth Method is setup with Local and Group AD
Router Log just shows this
This is a USG 40 running 4.32. Something similar is also occurring on a USG 20 - VPN
Server is 2012 R2 in both cases.
Auth Method is setup with Local and Group AD
Router Log just shows this
<table><tbody><tr><td><div>1</div></td><td><div>2018-11-20 11:51:25</div></td><td><div>notice</div></td><td><div>User</div></td><td><div>User ******(MAC=-) from http/https has logged out Device</div></td><td><br></td><td></td><td><br></td></tr><tr><td><div>2</div></td><td><div>2018-11-20 11:51:25</div></td><td><div>notice</div></td><td><div>SSL VPN</div></td><td><div>User ******* from http/https is connecting SSL tunnel.</div></td><td></td><td></td><td><br></td></tr><tr><td><div>3</div></td><td><div>2018-11-20 11:51:25</div></td><td><div>notice</div></td><td><div>User</div></td><td><div>User ******(MAC=-) from http/https has logged in Device</div></td></tr></tbody></table>
Server is 2012 R2 in both cases.
0
All Replies
-
Hi @Thysmith,
AD user is able to establish SSL VPN to USG40.
Make sure ad-users is in selected user in SSL VPN policy.
If you’re using the default Authentication Method rule, make sure “group ad” is on the list.
If you create another rule(ex: new_auth) in Authentication Method with “group ad”, remember to select the new created rule (ex: new_auth) in CONFIGURATION > System > WWW > Service Control > Authentication.
The latest firmware is sent to you in the private message.
If AD user is still unable to build SSL VPN, please feel free to let me know and send the remote access information to me via private message.
0 -
Hi Emily, Appears the Firmware update you sent me resolved the issue! Thank you so much!0
-
0
-
I'm also having a similar issue, running firmware V4.32(ABAQ.0) on USG20-VPN
Is there a newer firmware?\
0 -
0
-
Hi Emily, Some of my users are still having quite a bit issues connecting. The new firmware you provided did have good results but it is still hit and miss, any other suggestions?0
-
@Thysmith
Regarding to your description, some of users faced the issue, others did not.
You may check issue account on device.
Go to AAA server, and press test.
If the account is in the AD group, the result will show as below
Or you need to make sure the account already added in your own AD server.
Charlie0 -
Haha, that is definitely not the issue.
What I am seeing is this:
I am actually now trying it with a Local User Account (Nick and a Domain account NickW)
They both show as logged in on this page of the router.
BUT
Aint Nobody home.
I get this but nothing else in the logs
(hope you can see that)0 -
It Appears that 4.33 dropped today and I noticed SE 4.0.3.0. So far things worked right after reboot, but I will test further and report back.0
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 145 Nebula Ideas
- 95 Nebula Status and Incidents
- 5.6K Security
- 239 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 385 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 72 Security Highlight
