Auth Connector used within WSS to authenticate users and gather group information.
Auth Connect events are monitored and retrieved via an SNMP manager.
Over the last month, a large number of events are being reported on both the SNMP manager and WIndows event logs - almost all are for events ID 2001, 1022 and 2404.
No users are reporting any issues with authentication or policy evaluation, so the warnings appear to be cosmetic.
How can we reduce these errors?
IPSEC access method into Cloud SWG.
Auth COnnector continued to try and access legacy China data center IP addresses, despite the legacy services in China having been removed.
Restart the Auth Connector.
A Portal update was performed end of January 2023 which removed any reference to the old China colo data centers. Prior to this, any Cloud SWG tenant that had previously connected to the old, removed data centers in China would continue to see connections from the Auth Connector into these removed data center IP addresses, as the Portal did not remove references to them.
With the Portal changes, Auth Connectors are no longer notified of these IP addresses and will never try to connect. An Auth Connector restart however is required to pull the updated information from the Portal.
Grabbing Symdiag Auth Connector logs showed 1000s of the following entries - in each case they were to either the 184.108.40.206/24 or 220.127.116.11/24 subnet, which were part of the old and recently removed legacy China data centers. These correlate to the eventIDs reported above.
[6868:6808] SSL setup failed; status=10054:0x2746:An existing connection was forcibly closed by the remote host.
[6868:6808] DataPod connection failed to 18.104.22.168; status=10054:0x2746:An existing connection was forcibly closed by the remote host.
[6868:10292] Failed to establish SSL connection.; status=10054:0x2746:An existing connection was forcibly closed by the remote host.