Support Center > Search Results > SecureKnowledge Details
Remote Access users, when authenticated by UPN, are disconnected after a policy push Technical Level
Symptoms
  • Remote Access users, when authenticated by UPN, are disconnected after a policy push. This occurs when authenticating the user with a User Principal Name (UPN) field that is different from the email.
  • In $FWDIR/log/vpnd.elg, the user sees:

    When the User successfully logs in using the UPN field

    vpnd 19376 4082440128][24 Jan 16:27:12][tunnel]: Activating XAUTH for certificate
    [vpnd 19376 4082440128][24 Jan 16:27:12][tunnel] Certs for validation:
    [vpnd 19376 4082440128][24 Jan 16:27:12][tunnel] cert DN: Email=Bob.Junior@xyz.com,CN=Junior\, Bob,OU=Internal Users,OU=Users,OU=ABC,DC=XYZ,DC=LOCAL Other Name: principalName: juniorb@xyz.com

    When User Update occurs, or after pushing the policy:

    vpnd 19376 4082440128][24 Jan 15:22:45][VPNIO] vpn_trap_multik: received UPDATE_ISAKMP_USER
    [vpnd 19358 4081756096][24 Jan 11:26:23][vpnd] vpn_update_isakmp_user: Check if realm was received from sa: vpn_POC-Login
    [vpnd 19358 4081756096][24 Jan 11:26:23][ucache] UCMem_get_by_name: Searching for *Email=Bob.Junior@xyz.com,CN=Junior\, Bob,*OU=Internal Users,OU=Users,OU=ABC,DC=XYZ,DC=LOCAL
    [vpnd 19358 4081756096][24 Jan 11:26:23][ucache] UCMem_get_by_name: Entry not found.
    [vpnd 19358 4081756096][24 Jan 11:26:23] fetch_user_with_sr_info: requesting au_realm_fetchuser with groups

    Or

    [vpnd 19353 4082116544][5 Jan 23:47:07][CPLDAPCL] escaping needed
    [vpnd 19353 4082116544][5 Jan 23:47:07][CPLDAPCL] Realm: vpn_POC-Login, UserLoginAttr from Realm: userPrincipalName
    [vpnd 19353 4082116544][5 Jan 23:47:07][CPLDAPCL] Query Filter: (&(objectclass=user)(userPrincipalName=Bob.Junior@xyz.com) ) (**Considering Email as UPN Field)
    [vpnd 19353 4082116544][5 Jan 23:47:07][vpnd] fwuserc_update_isakmp_user_S: user : Email=Bob.Junior@xyz.com,CN=Junior\, Bob,OU=Internal Users,OU=Users,OU=ABC,DC=XYZ,DC=LOCAL not found

  • Sometime although VPN shows in connected state, users are unable to access it. While applying a Zdebug, the following drops are captured:

    @;61687;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=17 10.111.64.1:61000 -> 10.9.1.115:53 dropped by vpn_inbound_tagging_ex Reason: check_userc_tables returns -1;
    @;61761;[vs_0];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=17 10.111.64.1:61000 -> 10.9.1.115:53 dropped by vpn_inbound_tagging_ex Reason: check_userc_tables returns -1;
Cause
When a user update occurs, Check Point fetches the user details "fwuserc_update_isakmp_user" from the email field. It should fetch the user details from the UPN, because the authentication method used for login was UPN

Note: Where the email and UPN field values are the same, there should not be issues.


Solution

This problem was fixed. The fix is included in:

If you choose not to upgrade, Check Point can supply a Hotfix. Contact Check Point Support to get a Hotfix for this issue.
A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
For faster resolution and verification, please collect CPinfo files from the Security Management Server and Security Gateways involved in the case.

Hotfix installation instructions:
Refer to sk168597 - How to install a Hotfix.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment