Client Authentication failure on Check Point firewall

book

Article ID: 168023

calendar_today

Updated On:

Products

XOS

Issue/Introduction

This article describes a race condition which might occur when Check Point Client Authentication is performed to external server through an interface with a shared IP address.This article describes race condition  which might occur when Check Point Client Authentication is performed to external server through an interface with a shared IP address.

 When multiple users try to authenticate on the firewall, intermittently some users may not get access permission.

Cause

From the outside system it looks like intermittently 2 packets are being allocated the same IP and source port even if sent by two different VAPs and when the traffic is returned from the destination the NPM might pass the traffic to the wrong VAP, i.e first authentication request leaves vsx_1 and then instantly request for another client/session is sent by vsx_2 before returning packet is observed from authentication server. Then the return traffic is passed to vsx_2 as it was the most recent connection. It might happen that majority of authentication will work fine and only in corner cases when above mentioned race condition occurs authentication failure will be observed for only some authentication requests.

The Client Authentication component allocates the source port for communication at boot time and then uses the very same port for all the future requests through the life of the Client Authentication process. As this process starts relatively early and in the same order on all the VAPs, there is a chance that the same source port will be allocated for the Client Authentication process on more than a single VAP. This then results in situation that these VAPs will be sending traffic to external authentication server with same source port and IP address, which in case of race condition might lead to authentication failure as seen from the client perspective.

Additionally this problem only occurs when the Client Authentication requests are sent to outside system through the circuit which shares the same IP address among all the VAP members. This is mostly the case when authenticating server is accessible through internet/outside production interface and not through management network with an increment-per-vap configuration.

Resolution

The recommended solution is to set unique IP address for each VAP on the circuit, using the increment-per-vap option in the circuit configuration. This is the preferred setting for any circuit used for management traffic.

 

Workaround

This issue can be resolved by adjusting source ports available on each of the VAPs for locally originated connections. To make this change,  run the sysctl command on each VAP to assign a unique range in the variable net.ipv4.ip_local_port_range. For example:

# sysctl -w net.ipv4.ip_local_port_range="10240 26624"

To make this change permanent, edit the file /etc/sysctrl.conf on each VAP. Here is an example assigning 16384 non-overlapping source ports on three VAPs. 

# vsx_1:
net.ipv4.ip_local_port_range = 10240 26624

# vsx_2:
net.ipv4.ip_local_port_range = 26625 43009

# vsx_3:
net.ipv4.ip_local_port_range = 43010 59394