Re: [FW1] Session authentication alert/error

Fri, 29 Sep 2000 05:15:58 -0700 


Jim,

I'll take a stab at it.

Yes it might be a licensing issue. If you clear the
$FWDIR/database/fwd.hosts and it worked, my
guess is that you had exceeded your licensing of
50 or 80 users. Look in /var/adm/messages for
any indications of this.

I do not know how CP handles the expiring of
multiple licenses, when one is an eval and one
is permanent/timed? How old is the 30 day license?

If there aren't any clear indicators of license violations,
write back to the list and include your network layout,
which interface(s) is/are licensed and any other
messages found above, which may help explain
what's going on.

Robert

- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n   F o o d    S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]

>>> Jim Robinson <[EMAIL PROTECTED]> 9/29/00 12:51:33 AM >>>
>
>I have a problem and was wondering if someone could help me out. I have a CP
>4.1 NT box with a perm 50 user lic and a temp (30 day) unlimited lic.
>Everything was working fine until last week or so when several users could
>not access http from the internet. Upon inspection i found that the sesson
>auth agent was failing to validate fw-1 user id's that had a specified
>"from" and "to" network. A temporary solution seemed to be deleting the
>fwd.hosts file. Everything worked for about a day and then it blew up again.
>Fw-1 users that did not have a "from" or "to" net defined (ie any, any) were
>unaffected and are allowed to all urls's.
>
>My rule looks like this.
>#      SRC             DST     SERVICE         Action
>19     all users@any   any     http https pop-3 ftp    session auth
>
>Session auth properties are:
>Src. intersect with user DB
>Dest. intersect with user DB
>Contact agent at . SRC
>No policy server
>
>
>The alerts im getting when a user fails to connect with the session agent
>is:
>Rule 19 Connection to session agent failed, and
>User is not in the right group
>
>For example i have 2 users:
>admin  src:    any             dst:    any
>user1  src:    valid_nets      dst:    .americanexpress.com .epx.com
>
>Could this be a licensing issue? 
>Why is the admin user unaffected by this? 




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to