We have three locations setup for Location Awareness: Off Network, VPN, On Network. Here are the rules for each:
Off Nework (Default) – this has no rules – Firewall is highly restricted
VPN – does the IP address of the client match that of the VPN IP range and does the client have a gateway that matches that of the VPN IP gateway – Firewall is somewhat open but still restricted
On Network – the IP address should not match a VPN IP range and can the client resolve a DNS IP address – Firewall is not restricted and open
We are using Juniper SSL VPN. We are seeing an issue. When my laptop connects to the VPN and the Location Awareness kicks in it changes the Location to VPN (which is correct) but then right after the location change the VPN gets disconnected for a couple seconds.
Is anyone else seeing this?
When the Location Awareness kicks in and changes policies, does or can the Firewall block all traffic until the new policy is applied?
What version of SEP are you using?
Also are you facing this issue on specific OS or on all machines?
Change your VPN rule to check for network adapter not for IP Range and choose Juniper SSL VPN adapter, it's normal and worked as design.
The version we are using is 12.1.1000.157 RU1.
We are seeing this across different Windows OS's - XP and Win7
So you're saying that when the Location Awareness happens and the Firewall/IPS policy changes, there is a brief moment of Firewall 'lock-down'? If this is true, I see the disconnect about 10-15 seconds after the Location change.
When changing between locations due to your Location rules also firewall rules are affected from that. I faced with this problem too much time.
We had a similar issue. After switching the location to VPN, it will disconnect and connect after a few seconds. there might also be a disconnection after some time.
Solution : Open the traffic log, look under VPN location for block, you will see a vpn process there, create a rule under VPN location's firewall allowing this process/file. This totally resolved our issue.
Let us know if thta was helpful.
Thanks for your suggestion. I enable all the logging I could. I could not find a "Block" while on the VPN location even though the connection seems to drop a few seconds after switching locations. I've looked through the Packet and Traffic logs after several VPN log off/on's.
Once again, nothing is being block (at least not according to logs).
Symantec - when switching locations, does the Firewall block all until the othe policy take's over?
No Problem. you know the prrocess / files that you excluded for the VPN to connect right? use the same fiels here.
when switching locations, does the Firewall block all until the othe policy take's over?
Switching location does not take long, it happens immediately. If you mean the default policy where the machine falls when not in any location, then it depends on your configuration for that location.
I"m sorry, but we really don't know what you mean by excluding files for the VPN. We have excluded other files from scanning or Tamper Protection but not from VPN.
Can you explain a little more in detail?
Switching location does not take long, it happens immediately.
It takes our location awareness well over a minute to switch from 'Off-Network' to 'VPN'. We have basic rules like IP address, Gateway, VPN connector checking.
Say for example, from off-net to connect to VPN, you would have used few VPN processes, to enable it to identify and allow connection to VPN.
If you couldn't identify this, give me the FW rule for off-net, i will try to check that. Or you can get that information from your network guys who configure VPN.
You are talking about the location conditions right? still it should not take that long. If it does, then there should be a problem. We need ALS debug logs to analyse that. But let us fix the first issue :)
Spoke with our Network guys - we've looked at SEP Traffic and Packet logs - conducted a WireShark capture and we still do not see anything being blocked.
We need ALS debug logs to analyse that.
What are ALS debug logs?
Sylink debugging must be enabled for Auto-Location Switching (ALS) debugging to work.
Enable ALS debugging:
Enable debugging for location-related entries by creating the following DWORD registry value, and setting it to 1 :
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\Trident\AutoLocationDump
Cycle SMC once more after modifying the registry in step 2, to fully enable the ALS debugging.
Start, Run, type in 'smc -stop', click OK
Wait for the system tray shield icon to disappear
Start, Run, type in 'smc -start', click OK
Enabling this will create a file called "debug.log" in the Symantec Endpoint Protection program installation directory.
Thanks NRaj - this is some great information. I see in the debug.log where the AL is switching. It's still slow though.
If I unplug the network cable at 8:50:20 it still takes until about 8:50:50 to stitch locations. Looking in the log file the AL is checking every 4 seconds. If I look at ipconfig /all there is no IP address even though the log file shows that the PC has an IP address. It's almost like the IP info is cached some where.
So it takes about 30-60 seconds to switch locations from 'Off Network' to 'On Network' and takes 60+ seconds to switch from 'Off Network' to 'VPN'
What I don't understand is the IP, Gateway, DNS, DHCP - all changes on the PC but SEP still is able to log the IP info for 30-60 seconds after the fact.
NRaj - is this normal or what you see?
4 seconds is the default check time. Good that is not changed.
30 seconds is normal. But 60 seconds is a little high. In our environment the connection switches normally within 30 seconds.
If the PC is assigned a new IP address based on the location and SEP is not identifying it for some time, then see if you can create a case with Symantec. It may require quite some troubleshooting.
Hope the information was helpful.
NRaj - thanks so much for your time and help.
I've created a support ticket for this.
No Problem Dave. Glad that it was of some assistance.
VPN as a Location Awareness Rule is perfect for NIC Description as Mode Definition
I'm trying to use the VPN NIC description in the LAR, but it doesn't work for me. I am using the FortiClient SSL VPN. Is the NIC Description obtained from the Description line after running IPconfig /all, or is it in the registry or on the network control panel?
I am using SEP 11.x
I believe you are talking about the conditions. Try to use adapter name from ipconfig /all description or registry entry. Both works.
registry entry should be like ...../Tunnel established with dword value 0 or 1 depending on the connection.
I'm using Forticlient vpn but without certificates. I've checked the registry key and it is blank under the Tunnels registry key.
I want to add my vpn nic for both the location awareness and in the policies as a network adapter, but all the settings I have tried fail. I have tried the ipconfig /all description, and header lines, values in the network control panel, but nothing seems to work for any of these.
Does anyone have basic instructions of how to do this? the forticlient can be downloaded from the web if you could use this as an example.