Remote Access clients cannot connect to Security Gateway when Multi Factor Authentication (MFA) is enabled

Support Center > Search Results > SecureKnowledge Details

Remote Access clients cannot connect to Security Gateway when Multi Factor Authentication (MFA) is enabled

Technical Level

Solution ID	sk168493
Technical Level
Product	Mobile Access / SSL VPN, IPSec VPN
Version	R80.10, R80.20, R80.30, R80.40
Date Created	05-Aug-2020
Last Modified	03-Sep-2020

Symptoms

VPN Remote Access clients that do not support Multi Factor Authentication (MFA), such as Mac OS and iOS, cannot connect as Remote Access clients, if Multiple login options (MFA) is enabled (while older clients are allowed to connect without MFA) after upgrade to:
- R80.40 Jumbo Hotfix Take 48
- R80.30 Jumbo Hotfix Take 210
- R80.20 Jumbo Hotfix Take 156
- R80.10 Jumbo Hotfix Take 275
Same issue happens on base install of R80.30 for Quantum appliances.
The vpnd.elg file shows:

[vpnd ...]@GW[DATE TIME][CLIENT_CONFIG] CCCMultiLoginOption::getRealmById: login option = vpn [vpnd ...]@GW[DATE TIME][CLIENT_CONFIG] CCCMultiLoginOption::isLoginOptionIDAllowed: vpn this realm is not allowed for the client [vpnd ...]@GW[DATE TIME][CLIENT_CONFIG][tunnel] InitXAuthConnectAuAuth Invalid realm. Aborting

OR

[vpnd ...]@GW[DATE TIME][CLIENT_CONFIG][CLIENT_CONFIG] CCCMultiLoginOption::isLoginOptionIDAllowed [vpnd ...]@GW[DATE TIME][CLIENT_CONFIG][CLIENT_CONFIG] CCCMultiLoginOption::getRealmById: login option = [vpnd ...]@GW[DATE TIME][CLIENT_CONFIG][CLIENT_CONFIG] CCCMultiLoginOption::isLoginOptionIDAllowed: does not exist [vpnd ...]@GW[DATE TIME][CLIENT_CONFIG][tunnel] FwIkeP1FetchUser Invalid realm. aborting
For Site-to-Site tunnels with DAIP gateway, vpnd.elg shows:

[vpnd ...]@GW[DATE TIME][tunnel] < FWIKE_EXCH_MAIN_MODE > Id = XXXXX [vpnd ...]@GW[DATE TIME][tunnel] < FWIKE_MM_PACKET_5_FETCH_PEER > Id = XXXXX [vpnd ...]@GW[DATE TIME][tunnel] MMProcess5FetchPeer: stage=0; idType=9; {{ peer_cannot_be_user=1; peer_cannot_be_dag=0;}} {{ peer_is_mobile_ip=0; peer_is_dag=0; peer_cannot_be_lsv=1; peer_is_lsv=0}} [vpnd ...]@GW[DATE TIME][tunnel] FwIkeP1FetchDaip: entering ... [vpnd ...]@GW[DATE TIME][tunnel] FwIkeP1FetchUser Invalid realm. aborting [vpnd ...]@GW[DATE TIME][tunnel] RespMMPacketError: error in FWIKE_EXCH_MAIN_MODE - FWIKE_MM_PACKET_5_FETCH_PEER [vpnd ...]@GW[DATE TIME][tunnel] TalkToEngine: Engine RC is << FWIKE_ERROR >> [vpnd ...]@GW[DATE TIME][tunnel] TalkToEngine: received Error reply from Engine

Solution

Note: To view this solution you need to Sign In .

©
Copyright | Privacy Policy