Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
909
Views
0
Helpful
5
Replies

wrong username in category denial

mulhollandm
Level 1
Level 1

‎11-15-2013 03:17 PM

folks

i'm getting occasional errors from my wsa 670

my i try to access a url i get denied but the notification contains a differents users username

i have access to the category but even if i refresh my browser (ctrl-f5) i get the same result (denied)

if run a packet capture on the client pc i can see the http 403 from the wsa but there is no ntlm exchange

thanks to anyone taking the time to reply

Labels:
0 Helpful
5 Replies 5

Vance Kwan
Cisco Employee
Cisco Employee

‎11-17-2013 12:29 AM

Hi there,

You are probably using IP address surrogates.  This is only ideal for environments where users do not share computers.  Once a user authenticates, the WSA will remember that User X is logged on to this IP address for 1 hour by default.  Once the 1 hour expires, then the WSA will ask the client for authentication again.

If you are in an environment where users share computers, you may want to change the surrogate to Session Cookie so that each socket will need authentication.

Hint:  You can clear the authentication cache using the 'authcache' command in the CLI.

Based on your other posts, it sounds like all your users will be authenticated using the F5 Load Balancer's IP address.  IP address surrogates are not an option for you with this type of deployment since most (if not all) of your users will be coming from the F5's IP address.

-Vance

0 Helpful

mulhollandm
Level 1
Level 1
In response to Vance Kwan

‎11-17-2013 12:56 AM

vance

many thanks for your reply

we are indeed using ip surrogates but we're not using shared computers

i have 6 wsas and a large user base spread over the 6 appliances, is there a way to prevent this behaviour rather than react to it?

thanks for your help

0 Helpful

Vance Kwan
Cisco Employee
Cisco Employee
In response to mulhollandm

‎11-17-2013 12:58 AM

What value is the F5 load balancer adding for you besides load-balancing to the WSA's?

You can consider changing the F5 to use layer 2 to deliver traffic to the WSA's so that the client IP will stay the same.

-Vance

0 Helpful

mulhollandm
Level 1
Level 1
In response to Vance Kwan

‎11-17-2013 01:51 AM

vance

my f5s are'nt inline to the wsas so i need to use nat other the traffic isn't routed back to the original host

i've x forwarding enabled and the wsa can see this in policy

do you think layer 2 would resolve this?

0 Helpful

Vance Kwan
Cisco Employee
Cisco Employee
In response to mulhollandm

‎11-17-2013 09:16 PM

I think it will since your users do not share computers.  But when going through the F5, every user will be coming from the same IP address so that is the same as sharing in the WSA's perspective.

But since you said your F5 is not in line, there may be challenges.  Depending on what the F5 does to the packet, the client may reject it if the WSA responds directly to the client without passing through the F5 first.

0 Helpful
Customers Also Viewed These Support Documents