Logon App failing to connect

Started rolling out AuthPoint on my servers over the weekend and couple of them won't allow me to log on with the error:

"Your computer must be connected to the Internet the first time you log on. Make sure your computer has an Internet connection and try again"

Even though the Servers do have an Internet connection and I see the authentication request going through the firewall.

2023-01-17 08:08:09 Allow 10.0.0.8 13.224.2.23 https/tcp 63488 443 Trusted Comcast WAN HTTPS Request (HTTPS-proxy-Outgoing-DPI-00) HTTPS DPI Outbound proc_id="https-proxy" rc="548" msg_id="2CFF-0000" proxy_act="HTTPS DPI Outbound" tls_profile="TLS-Client-HTTPS.Standard.1" tls_version="TLS_V12" sni="desktop.authpoint.usa.cloud.watchguard.com" cn="desktop.authpoint.usa.cloud.watchguard.com" cert_issuer="CN=Amazon,OU=Server CA 1B,O=Amazon,C=US" cert_subject="CN=desktop.authpoint.usa.cloud.watchguard.com" action="allow" app_id="0" app_cat_id="0" sig_vers="18.246" sent_bytes="879" rcvd_bytes="13858" geo_dst="USA" Traffic
2023-01-17 08:08:10 Allow 10.0.0.8 13.224.2.23 https/tcp 63488 443 Trusted Comcast WAN Application identified 133 128 (HTTPS-proxy-Outgoing-DPI-00) proc_id="firewall" rc="100" msg_id="3000-0149" fqdn_dst_match="watchguard.com" src_ip_nat="xxx.xxx.xxx.xxx" tcp_info="offset 5 A 2939846435 win 4896" app_id="350" app_name="HTTP Protocol over TLS SSL" app_cat_id="19" app_cat_name="Network protocols" app_beh_id="6" app_beh_name="Access" action="XXXX" sig_vers="18.246" route_type="SD-WAN" geo_dst="USA" Traffic

Any ideas how to resolve this as I am unable to access these servers.

Thanks!

  • Doug

It's usually something simple.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @shaazaminator

    Does your network allow access to resources when users are not logged in? (Are you using policies that require users be authenticated to get to the internet?)

    I also see your rule mentions DPI -- does authentication work if content inspection is turned off for those specific servers?

    It's likely there's just not an exception in place that needs to be there for those servers -- you'll usually see that via the FQDN and SNI lines in the logs.

    If you need assistance figuring out what one is missing in your situation I'd suggest opening a support case. It's also possible that there's just another problem happening.

    -James Carson
    WatchGuard Customer Support

  • Hey James,

    No, no policies that require a user to be logged in for Internet access.

    Did move the IP's of the servers to a different HTTPS Proxy to avoid the DPI, but that didn't work either.

    Which exceptions and log files are you referring to? I checked the Event Logs on the servers but no errors were reported relating to this.

    It's usually something simple.

  • Opened a support ticket.
    I'll post the answer when I have it.

    It's usually something simple.

  • I saw the same issue with a VM i migrated from Hyper V to VMWare where it also had internet access. With AuthPoint client 2.7x this worked, but it fails with version 2.8

    /Robert

  • The issue resolved itself. It just started working as designed. Don't know why.
    Support was thinking it was DNS related but never got around to testing and verifying that.
    Since it's working I'm not going to mess with it.

    It's usually something simple.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @shaazaminator
    Just note your case number -- if it does pop back up you can just re-open it by replying to it without having to start over on that issue.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.