SAML enabled on Cloud SWG for multiple access methods.
Azure Identity Provider used as SAML server.
Pilot users at a new location cannot browse internet after connecting to Cloud SWG with SEP Web and Cloud Access client in tunnel mode.
Users get the Azure login page rendered but when submitting their email address, the user gets following message rendered in login page:
"There was an issue looking up your account. Tap next to try again"
Azure logs fail to show anything, as it appears that Azure cannot tell who the tenant is based on the email domain, even though it is a valid Azure domain.
Non Azure IDP servers may report different errors but authentication will fail.
SEP Web and Cloud Access client.
Can also happen with WSS Agent.
SAML authentication to Azure Identity Provider.
PAC file pushed down to Agent to send user traffic to 199.19.250.205:80 (ep.threatpulse.net) on Cloud SWG proxy, but issue happened without any PAC file too.
Network issue with certain packet sizes, triggered with VxLAN enabled on Wifi AP.
A number of possibilities exist :
Looking at the in-tunnel PCAP saved with Symdiag, we identified the TCP connection to login.microsoftonline.com where the users credentials were submitted, and quickly found that the agent would RESET the connection after approximately 20 seconds, and after multiple retransmits of the same data. Looking at the data in more detail, we could see that the server appeared to ACK the highlighted TCP segments below. The re-requested TCP segments that never got answered were for the packets 714 and 716 below, which were both had a length of 1343. Every retransmitted packet of length 1343 towards end of PCAP below never got an ACK.
Packet 720 shows the Cloud SWG Proxy ACKing everything but the missing 1343 length packets - the SACK blocks highlighted are for the TCP segments sent in 715 and 717, but confirms that we have seen everything up to and including TCP segment 713.
Suspecting an MTU issue with the Wifi firewall or after, a few tests were carried out to confirm that confirm this theory:
PS C:\WINDOWS\system32> get-NetIPInterface "Wi-Fi"
ifIndex InterfaceAlias AddressFamily NlMtu(Bytes) InterfaceMetric Dhcp ConnectionState PolicyStore
------- -------------- ------------- ------------ --------------- ---- --------------- -----------
8 Wi-Fi IPv6 1500 50 Enabled Disconnected ActiveStore
8 Wi-Fi IPv4 1500 50 Enabled Disconnected ActiveStore
PS C:\WINDOWS\system32> set-NetIPInterface "Wi-Fi" -NlMtuBytes 1300
PS C:\WINDOWS\system32> get-NetIPInterface "Wi-Fi"
ifIndex InterfaceAlias AddressFamily NlMtu(Bytes) InterfaceMetric Dhcp ConnectionState PolicyStore
------- -------------- ------------- ------------ --------------- ---- --------------- -----------
8 Wi-Fi IPv6 1300 50 Enabled Disconnected ActiveStore
8 Wi-Fi IPv4 1300 50 Enabled Disconnected ActiveStore