ProxySG & Advanced Secure Gateway

 View Only
  • 1.  Proxy ASG Authenticatio broke after upgrade from 6.6.5.16 > 6.7.2.1> 6.7.5.6

    Posted Jul 25, 2020 05:18 AM
    Need help as we had an failed upgrade of our Proxy ASG S200-40 appliance yesterday.We were running 6.6.5.16 version and as recommended by TAC team we proceeded with the upgrade path first to 6.7.2.1 then to 6.7.5.6. After first upgrade to 6.7.2.1 everything was working good.And post upgrade to 6.7.5.6 , LDAP stopped working and we lost access to the device.We logged in with local credentials.However we see that IWA and LDAP as faling. However the domain still stayed joined.Very unfortunate that we wont be able to join domain  again due to some DC level changes happened for all the accounts. We tried to create a temp service account however we still joining domain says access denied.
    1.Anyone faced same issue before?
    2.Luckily we had two appliances in HA and one is working now in production and which is already joined to domain and working fine (Why the domain controller level changes doesn't affect the working proxy)
    3. Anyway to know the account or username used from the working proxy to join the domain? Last Domain joined happened way before my tenure with the client  and no one has the username or password information which was used?


    Awaiting urgent help!!


  • 2.  RE: Proxy ASG Authenticatio broke after upgrade from 6.6.5.16 > 6.7.2.1> 6.7.5.6

    Broadcom Employee
    Posted Jul 27, 2020 10:54 AM
    Hi Deepak,

    There are different steps required in joining and rejoining the domain than to just being joined to the domain, and so I have seen a lot of times where maybe a DNS server or LDAP server is down, but it isn't noticed until upgrading, when the ASG is trying to rejoin the domain. For example, the first step in joining a domain is the ASG reaching out over DNS for an SRV record. If there is something wrong with the SRV record, or if other DC changes were made that would prevent you from joining the domain, you will not notice until the domain needs to be rejoined, and any existing appliances already joined to the domain (like your two HA appliances) would not know anything was wrong unless they themselves tried to rejoin the domain.

    I guess a good analogy of this would be the starter on your car. If your car is already on, and you have a bad starter, you wont notice until the next time you try and start the car. For a car, it may be a few hours, or whenever you are low on gas and need to fill up again. For a ProxySG / ASG, it can literally be months, (or it sounds like maybe years in your case) before you would try and rejoin the domain again.

    If you are getting an access denied message, then it sounds like an account was misconfigured in AD, and so you will want to work with that team to figure out why you are denied. As far as knowing the username and password, there is not a way to find that out from the ProxySG. 

    For more reference on authentication, see this guide.

    Thanks!


  • 3.  RE: Proxy ASG Authenticatio broke after upgrade from 6.6.5.16 > 6.7.2.1> 6.7.5.6

    Posted Aug 04, 2020 01:21 AM
    Thanks Jacob..
    We managed to resolve the issue.The root cause for IWA failure (Domain rejoin) was at the account level settings at AD end. The account that was used to join domain doesn't have enough privileges now to join the domain.So we worked with AD team and set up a new account and got it to join Domain.(I was wondering how it works with existing proxies with the account which doesnt exists.I understood the analogy of the starter but for IWA realm, security group look up happen using the domain and it doesnt try to reauthenticate or revalidate the domain account and crednetials? may be I am ignorant of how this AD domain account works?

    Though the issue is resolved, still few things unanswered:
    1. On this point "We tried to create a temp service account however we still joining domain says access denied." - We had a complex password set up for temp account.However we changed it to a simple password and it started working. In the non working password we had a "X" letter.Not sure if that is being considered as a Cyrilic character as mentioned in one of the KB article.
    2. Why LDAP realm was not working, we could not find any DNS requests or 636 requests sen to LDAP servers even from PCAP. Though the DNS servers configured was working fine.

    Anyhow we upgraded the second proxy as well, the only change in plan was , we rejoined the domain first with new account and upgraded.and no issues observed from LDAP realm or anything.All went smooth.





  • 4.  RE: Proxy ASG Authenticatio broke after upgrade from 6.6.5.16 > 6.7.2.1> 6.7.5.6

    Posted Jul 30, 2020 02:00 PM
    TAC is not supporting for this issue  no problem I recommend you to upgrade for 6.7.5.5 more stable then 6.7.5.6 it will resolve the issue roll back and do the upgrade...