User approves push notification but is never connected to the VPN

I have had this happen now with many different users.
User opens the VPN with SSL client. Logs on, approves the push notification. The logging messages on screen cycle like the logon process is continuing. Then shortly thereafter the user is taken back to the VPN logon prompt with no error messages displayed and they are NOT connected to the VPN.

The Authpoint audit log shows the event was approved:
Request Id: 0982a36f-98ba-4bd5-9b0d-9a810f156c5f
Push Information:
Generated in 73ms.
Delivered in 867ms.
Answered in 3406ms.

The Gateway logs shows successful as well:
2022-02-10 07:36:01 INFO [pool-1-thread-70] c.w.a.r.s.AuthenticationService - Authentication request received - HttpStatus: 200 - Request-Id:0982a36f-98ba-4bd5-9b0d-9a810f156c5f

2022-02-10 07:36:01 INFO [pool-1-thread-70] c.w.a.r.s.AuthenticationService - Waiting for push answer - TransactionId: ba1c0b87-caff-44d9-81d4-cd1858e8230e - RequestId: 0982a36f-98ba-4bd5-9b0d-9a810f156c5f - Request-Id:0982a36f-98ba-4bd5-9b0d-9a810f156c5f

2022-02-10 07:36:02 INFO [pool-1-thread-70] c.w.a.r.service.PushResultService - Polling for Push Response - TransactionId: ba1c0b87-caff-44d9-81d4-cd1858e8230e - HttpStatus: 202 - Request-Id:0982a36f-98ba-4bd5-9b0d-9a810f156c5f

2022-02-10 07:36:05 INFO [pool-1-thread-70] c.w.a.r.service.PushResultService - Polling for Push Response - TransactionId: ba1c0b87-caff-44d9-81d4-cd1858e8230e - HttpStatus: 202 - Request-Id:0982a36f-98ba-4bd5-9b0d-9a810f156c5f

2022-02-10 07:36:08 INFO [pool-1-thread-70] c.w.a.r.service.PushResultService - Polling for Push Response - TransactionId: ba1c0b87-caff-44d9-81d4-cd1858e8230e - HttpStatus: 200 - Request-Id:0982a36f-98ba-4bd5-9b0d-9a810f156c5f

2022-02-10 07:36:08 INFO [pool-1-thread-70] c.w.a.r.flow.AuthenticationFlowImpl - Authentication successful - Protocol: PAP - Username: (username removed) - ResourceId: 23363. - Request-Id:0982a36f-98ba-4bd5-9b0d-9a810f156c5f

This happens all within about 15 second at most. Well within the 30 second timeout of the VPN client.

We tried "sync token" in the Authpoint app but that did not help. We tried once after the user performed the Sync Token and the same thing happened.

We uninstalled the VPN client (12.7.0) and installed the latest (12.7.2) and the user got on with their first attempt.

Any idea how to permanently fix this? All logs are showing successfully authenticated but the client is NOT connected.

M370 running 12.7.2 Update 1

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    It would seem based on that log that the customer's push acceptance isn't getting back to AuthPoint.

    -If the customer is on cell data, try having them go to Wi-Fi or vice-versa.
    -If the customer has mobile data turned off, please try turning that on.

    -James Carson
    WatchGuard Customer Support

  • But if they are getting the push notification that tells me their network connection is working.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @JoshuaThompson
    The connection is working From the cloud -> the phone, but not the other way around. The push to the phone, and the phone responding are two different steps.

    -James Carson
    WatchGuard Customer Support

  • The second log above repeatedly shows "PushResultService - Polling for Push Response -" And then the last line is the "Authentication successful "
    Doesnt this indicate that the push notification was received back?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @JoshuaThompson
    I think the email view I was responding to was truncating your logs. My apologies. (I should have checked that.)

    If authentication is successful (and is showing as such on the firewall) it's likely not AuthPoint causing the issue.

    If you allow an alternate authentication server (such as FIrebox-DB) and log in as firebox-db\user from the SSLVPN, does the user see the same behavior?

    -Getting the logs from the SSLVPN client itself may help determine what the issue is. You can do that via right clicking on the system tray (the W in a magnifying glass) and seelcting view logs. (Do not post them here, as your IP and username will be all over those logs.)

    -I searched your display name and found a open support case for the same issue. It looks like the technician suspects that the issue may be elsewhere and was trying to get more information. Would it be possible to reply to them so that they can continue working on your case with you?

    -James Carson
    WatchGuard Customer Support

  • Yes, that works for me. Thank you James!

Sign In to comment.