[IAG] A single website cannot be accessed, and the direct access prompts that the user authentication packet is lost
Problem Description
There is a website for reporting fees. The data cannot be saved when it is submitted. The user is prompted with a direct message that the authentication packet is lost. The user is online and there is no policy blocking.
Warning Information
505835b3d73fa095c2.png (191.79 KB)
Process——
- The authentication policy is single sign-on. There are no policy restrictions on online users. The IP address is 10.0.15.28. When data pass-through is turned on, it is found that the authentication packet is lost. At this time, the customer can access other web pages without any problem, but the data submitted to the billing website cannot be saved.
- By capturing the packet, we found that when the PC visited this website, the server returned a 200 ok packet. TTL=128 ip.id == 0x5826 , which was obviously intercepted by the device. The packet was redirected to the iwa interface http://sangfor-1b97:80/src/iwa/index.js?t=152836476
743475b3d7bfbaf06d.png (236.17 KB) - Turn off iwa single sign-on test and it works fine. iwa redirection causes
Root cause
When doing iwa single sign-on, the device will be redirected to the iwa interface at regular intervals
solution
Disable iwa single sign-on or upgrade to version 11.9R1 or above and disable scheduled iwa requests in iwa advanced configuration
603375b3d74dda2d7c.png (23.11 KB)
Original Link
https://support.sangfor.com.cn/cases/list?product_id=22&type=1&category_id=5949&isOpen=true