02-25-2014 06:43 AM
We upgraded one of our 5020's from 4.1.13 to 5.0.11 about 2 weeks ago. Ever since then, we have been seeing an unusually high number of failed auths from Global Protect. Has anyone else experienced this?
The attached graph was made in Excel. I used this filter in PA ( eventid eq globalprotectgateway-auth-fail ) and ( receive_time geq '2014/02/01 00:00:00' ) to grab all of the GP failed auths from the System log, then graphed it out. You can clearly see when we performed the upgrade. I have verified that these extra failed auths are not coming from a single user(or even a few). It's spread out across all users. The weird thing is, we haven't had any complaints(yet) about Global Protect not working, it has also worked 100% of the time for myself.
02-25-2014 07:08 AM
Just to kinda help clarify, the graph depicts the date as right to left. The far right is before the upgrade, the left is after the upgrade.
02-25-2014 07:49 AM
Hello jambulo
Yes I see that the system logs indicate GP Auth failures, to know more information about each failure we can look at
less mp-log authd.log ( Click Shift + G to go down to the latest )
Here for each failure it would give the logs and a reason. If you can share logs of one such may be we can find more.
Thanks
02-25-2014 10:06 AM
jambulo maybe a pcap of a session with a failed auth and a successful auth combined with using the SSL private key and Wireshark can help unravel this too?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
