New local users created not working on FW Active but yes working on FW Passive

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

New local users created not working on FW Active but yes working on FW Passive

L4 Transporter

Hello team

Currently, I have a pair of FW 1410 Version: 11.0.4-h2, passive active and I have encountered the following problem

When creating new local users, with permissions, superuser I can not access via SSH to them locally but I can do it via GUI and all other users created previously.i.e. Users created some time ago in the FW are working correctly via GUI or CLI.

 

In the Passive FW I have no such problem, I can access at the time of creating new local users via CLI or GUI. Also I tried to do a failover and the FW that now is Passive works fine also on Active mode.Then the problem is always located in the same FW, whether it is passive or active.

I have already restarted the FW and loaded a new configuration file without success.

Any ideas?

The error CLI

Alpalo_0-1718722651633.png

System logs in FW Active looks like everything is fine.:-(

Alpalo_1-1718722724774.png

Regards

 

6 REPLIES 6

Community Team Member

Hi @Alpalo ,

 

Could you try the following solutions:

In a HA pair, secondary Firewall's ssh connectivity(management port ) is lost

 

Hope this helps,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Thanks for your answer, the strange thing is that with old created users the access works correctly, it does not work with locally created and newly created users. do you undesrtand me?

L0 Member

Are you using the management interface to connect to the firewalls or data interfaces?

 

Because it seems to me that you may have an interface management profile with SSH allowed on the firewall where it works, but not on the other firewall. Interface management profile does not sync in an A/P HA.

 

Any useful information from the logs on the firewall where you can't access the GUI?

Hello,

No, it's not that, SSH is active in both and in the logs you can see that the user logs in correctly 😞

Greetings.

Cyber Elite
Cyber Elite

@Alpalo,

When you're looking at the "active" firewall that isn't allowing SSH login (which I'm just going to term non-functional) and compare it to the "passive" firewall (which is hence forth functional) have you run a configuration audit between the two to validate that they're actually configured the same? That's where I would start, so you can validate that none of the non-sync'd information between the two isn't accounting for the issue as @FadiSakkal11 mentioned. Nothing should be causing the issue that you described, but sometimes people get so locked into the issue that they overlook something simple.

 

It honestly sounds like you're not actually creating Superuser accounts and the accounts created don't actually have a CLI role assigned. That would fit the error that you're seeing alongside the fact that you're seeing a successful auth log. When you say that you have already restarted the firewall, what exactly did you restart? Did you restart the entire box, or did you just restart the management-server?

The configuration is identical.

  • 891 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!