[IAG] dkey user login failed–source IP does not match
Problem Description
The dkey user login failed and the message "Login failed" was displayed.
459315b970fa884ae2.png (26.15 KB)
Process——
- Confirm that there is no problem with Dkey, regenerate key login in the console, the phenomenon is still the same
- Use the console packet capture tool to capture the data packets interacting between PC and IAG. The port used for dkey authentication is UDP protocol port 980.
- Send the data packet to 400 engineers for decryption, and find that the IP address in the data packet does not match the IP address used for communication
621655b97104510e85.png (94.96 KB)
343295b97105824612.png (5.67 KB) - Check the IP address of the PC. It is indeed the IP in the data packet. Confirm that NAT is passed between the PC and IAG.
710475b9710c0a396e.png (1.83 KB)
Root cause
Confirm that the connection from PC to IAG goes through NAT
Dkey authentication users are not supported in NAT environments
solution
Coordinate to modify the network topology. NAT cannot be enabled between the PC using dkey and the IAG.
Original Link
https://support.sangfor.com.cn/cases/list?product_id=22&type=1&category_id=6443&isOpen=true