When TSM SACG do connection, pre-authentication domain automatically release all traffic

Publication Date:  2012-09-13 Views:  387 Downloads:  0
Issue Description
The secospace_TSM sacg can not limit clients by pre-authentication domain.
Pre-authentication domain, SACG 3099display “rule1000 permit ip
The configuration :
default acl 3099
server ip 10.144.199.6 port 3288 shared-key secospace
right-manager server-group active-minimum 3

The status display:
[USG2210] dis right-manager server-group
13:56:24 2010/06/02
Server-state: Enable
Server-number: 1
Server-ip-address port state master
10.144.199.6 3288 active Y

Alarm Information
None
Handling Process
Change active to 1 solve the problem.
default acl 3099
right-manager server-group active-minimum 1

Root Cause
Based on connection state, it can be seen that the number of active is 1. While in the original configuration the active-minimun is 3, it means that the smallest active is 3.  This time the firewall will open emergency channel, acl 3099 there will be a rule1000 permit ip rule.
Suggestions
Conditions for opening emergency channel:
1. Enable the open state monitoring
2. The number of the currently active server is less than the configured number of active number

END