No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

User sometimes can't login SSL VPN in USG5530s

Publication Date:  2014-08-30 Views:  36 Downloads:  0
Issue Description
After a customer configured SSL VPN function in USG5530, it worked normally. But sometimes all the new users can’t login this SSL VPN virtual gateway, and those uses who had login before can access the Lab devices through SSL VPN normally. After some time, all the new users can login SSL VPN normally.
This is the topology:


When this issue occurred, the user can’t login SSL VPN, and the login process stayed in this step:


After more than ten minutes, the result is as follows.


The test result:

The related configuration in USG5530:

v-gateway china_gtac ip address 10.159.240.254
#****BEGIN***china_gtac**1****#
v-gateway china_gtac
basic
  ssl version sslv30+tlsv10
  ssl timeout 60
  ssl lifecycle 1440
  ssl ciphersuit custom aes256-sha des-cbc3-sha non-rc4-sha non-rc4-md5 aes128-sha non-des-cbc-sha
  logo &logo&.gif
  welcome &welcome&.txt
  title &title&.txt
service
  network-extension enable
  network-extension netpool 172.16.251.100 172.16.251.200 255.255.255.0
  network-extension mode manual
  network-extension manual-route 172.16.252.0 255.255.252.0
  network-extension manual-route 172.16.251.0 255.255.255.0
security
……
Alarm Information
None
Handling Process
(1) Most time users can login SSL VPN, so there should not configuration error.
(2) It may be the cause that the login users reached the max number. From the command “display license” we can see that total 60 users can login SSL VPN concurrently.
<USG5500>display license
14:34:49  2014/08/30
Device ESN is: 2102xxxxHQZ0B6000075
The file activated is: hda1:/lic6047002844-a627d102f71_usg5530s.dat
The time when activated is: 2011/09/30  17:44:14 
VFW        : 15
SSL VPN Concurrent User: 60    //total 60 users can login SSL VPN concurrently.
IPS        : Enabled;   service expire time: 2017/09/29 
Anti Virus : Enabled;   service expire time: 2017/09/29
Anti Spam  : Enabled;   service expire time: 2017/09/29 
Pre-defined URL category query : Enabled;   service expire time: 2017/09/29
From the command “display onlineuser’ we found that there were only 9 Concurrent Users, so it should not be this cause.

(3) So it should be other reason.
Check the version, and it’s the latest version(USG5500 V300R001C10SPC200) until now, it should not be some known bug.
In the diagnose view, we found from result of the command “display rtm user-list” that when this issue occurred, there exists a user whose User Id is 0. When all the things are normal, there is no user whose user id is 0.


Then we discussed with R&D engineer and learnt that the max user id is 509. After the user id reaches 509, it will go back to 0. This is a bug when user id 0 exists, the user can’t login SSL VPN virtual gateway. After the user whose user id is 0 logouts(by being kicked off or expires), then the new user can login normally.

Temporary solution:
     Kick off the user whose user id is 0 by administrator.

No user whose user id is 0.

Then new users can login SSL VPN virtual gateway.
The other temporary solution is that just wait the user whose user id is 0 logout by itself or expires.

Final solution:
    Waiting the new version is released, and upgrade to the new version.
Root Cause
1) The configuration error.
2) The logon users reach the max number.
3) Other cause.
Suggestions
For troubleshooting, we should know some commands in diagnose view.

END