Knowledge Search


×
 

[SRX] Pulse client reports 'Incorrect Credentials' error (using Local Authentication)

  [KB22893] Show Article Properties


Summary:

When trying to connect the Pulse client to the SRX, the process fails with the following messages:

Status of connection results: "Failed"
Details: "Incorrect Credentials"

This article is a part of the Dynamic VPN Resolution Guide:  KB17220 - Resolution Guide - SRX - Troubleshoot Pulse VPN connections to SRX.


Symptoms:

Pulse Client attempts to login to the SRX:


But the Pulse client does not connect. The Connection Status in Pulse window reports the Connection Status:  "Failed" / Details: "Incorrect Credentials":



Cause:

Solution:

NOTE: If you are using Radius authentication (where the SRX is sending authentication request to a Radius server), instead refer to KB17335 - Pulse client reports 'Incorrect Credentials' error (using RADIUS Authentication)

 This error message occurs in the following situations:

  • The username or password (both case sensitive) have been entered incorrectly.

  • The user's username does not match the username configured.

  • Subscriber management process disabled.

Perform the following steps to correct the error:


Step 1.  Run the command show access profile. Is the username (including capitalization) configured in the access profile the same as the username being entered?

  • Yes - Continue with Step 2
  • No - Have the user re-enter the username making sure capitalization matches what is configured. If still unable to authenticate continue with Step 2.



Step 2.  Enter a new password for the user trying to authenticate (i.e. user1):

            root@srx# set access profile dyn-vpn-access-profile client user1 firewall-user password 1234

  • Issue still seen- Continue with Step 3
Step 3.  Are subscriber-management and subscriber-management-helper process disabled.

user@srx# show system processes
subscriber-management disable;    
subscriber-management-helper disable;


  • Yes - Re-enable processes
    • Delete the configuration as below and commit:
    • user@srx# delete system processes subscriber-management
      user@srx# delete system processes subscriber-management-helper
      user@srx# commit

  • No - Continue with Step 4

Step 4. If still unable to authenticate, set authentication traceoptions so that the debug log can be reviewed for clues as to why the authentication is failing:

user@srx# set system processes general-authentication-service traceoptions flag all
user@srx# commit
user@srx# clear log authd

[Have user attempt to connect and login again]

user@srx> show log authd


  Step 5. Review the output of the authd file.  Look for the username that is unable to connect.  Below are samples of the debug output for that you can compare yours to:

DEBUG OUTPUT EXAMPLE OF A BAD PASSWORD:
Sep 3 10:11:40 ###################################################################
Sep 3 10:11:40 ########################### AUTH REQ RCVD #########################
Sep 3 10:11:40 ###################################################################
Sep 3 10:11:40 Auth-FSM: Process Auth-Request for session-id:3
Sep 3 10:11:40 Framework: Starting authentication
Sep 3 10:11:40 authd_advance_module_for_aaa_request_msg: result:0
Sep 3 10:11:40 Authd module start
Sep 3 10:11:40 Local : authd_local_start_auth: got params profile=remote_access_profile, username=user1
Sep 3 10:11:40 Local : start authd_local_lookup
Sep 3 10:11:40 Local : profile remote_access_profile found
Sep 3 10:11:40 Local : client user1 found
Sep 3 10:11:40 Local : password mismatch for client user1
Sep 3 10:11:40 authd_auth_module_start: result = 3 start_auth; state = 0
Sep 3 10:11:40 authd_auth_module_start: Error in calling the start_auth
Sep 3 10:11:40 REQUEST: AUTHEN - module_index 0 module(password) return: FAILURE

Sep 3 10:11:40 Framework: auth result is 11. Performing post-auth operations
Sep 3 10:11:40 Framework: result is 11.
Sep 3 10:11:40 authd_auth_send_answer: conn=d09000, reply-code=2 (FAIL), result-subopcode=11 (ACCESS_DENY), sub-id=3, cookie=1, rply_len=28, num_tlv_blocks=0
Sep 3 10:11:40 Delete session: 3
Sep 3 10:11:40 Subscriber 3 not found
Sep 3 10:11:40 authd_auth_aaa_msg_destroy
Sep 3 10:11:40 authd_auth_aaa_msg_destructauth_aaa_msg: 0xb4e06c
Sep 3 10:11:40 authd_write_conn: response is 0xd0905c, total len is 28 and sent is 0
Sep 3 10:11:40 authd_write_conn: response is 0xd0905c, wrote 28 bytes



DEBUG OUTPUT EXAMPLE OF a Username not matched (Again note case sensitivity):

Sep 3 10:14:22 ###################################################################
Sep 3 10:14:22 ########################### AUTH REQ RCVD #########################
Sep 3 10:14:22 ###################################################################
Sep 3 10:14:22 Auth-FSM: Process Auth-Request for session-id:9289518677856839890
Sep 3 10:14:22 Framework: Starting authentication
Sep 3 10:14:22 authd_advance_module_for_aaa_request_msg: result:0
Sep 3 10:14:22 Authd module start
Sep 3 10:14:22 Local : authd_local_start_auth: got params profile=remote_access_profile, username=USER
Sep 3 10:14:22 Local : start authd_local_lookup
Sep 3 10:14:22 Local : profile remote_access_profile found
Sep 3 10:14:22 Local : client USER NOT found
Sep 3 10:14:22 authd_auth_module_start: result = 3 start_auth; state = 0
Sep 3 10:14:22 authd_auth_module_start: Error in calling the start_auth
Sep 3 10:14:22 REQUEST: AUTHEN - module_index 0 module(password) return: FAILURE

Sep 3 10:14:22 Framework: auth result is 11. Performing post-auth operations
Sep 3 10:14:22 Framework: result is 11.
Sep 3 10:14:22 authd_auth_send_answer: conn=d00000, reply-code=2 (FAIL), result-subopcode=11 (ACCESS_DENY), sub-id=9289518677856839890, cookie=6, rply_len=28, num_tlv_blocks=0
Sep 3 10:14:22 Delete session: 9289518677856839890
Sep 3 10:14:22 Subscriber 9289518677856839890 not found
Sep 3 10:14:22 authd_auth_aaa_msg_destroy
Sep 3 10:14:22 authd_auth_aaa_msg_destructauth_aaa_msg: 0xb4e06c
Sep 3 10:14:22 authd_write_conn: response is 0xd0005c, total len is 28 and sent is 0
Sep 3 10:14:22 authd_write_conn: response is 0xd0005c, wrote 28 bytes



DEBUG OUTPUT EXAMPLE OF A SUCCESSFUL AUTHENTICATION, i.e. username and password matched:
Sep 3 10:08:32 ###################################################################
Sep 3 10:08:32 ########################### AUTH REQ RCVD #########################
Sep 3 10:08:32 ###################################################################
Sep 3 10:08:32 Auth-FSM: Process Auth-Request for session-id:2
Sep 3 10:08:32 Framework: Starting authentication
Sep 3 10:08:32 authd_advance_module_for_aaa_request_msg: result:0
Sep 3 10:08:32 Authd module start
Sep 3 10:08:32 Local : authd_local_start_auth: got params profile=remote_access_profile, username=user1
Sep 3 10:08:32 Local : start authd_local_lookup
Sep 3 10:08:32 Local : profile remote_access_profile found
Sep 3 10:08:32 Local : client user1 found
Sep 3 10:08:32 Local : passwords matched
Sep 3 10:08:32 authd_auth_module_start: result = 2 start_auth; state = 0
Sep 3 10:08:32 REQUEST: AUTHEN - module_index 0 module(password) return: SUCCESS

Sep 3 10:08:32 authd_auth_get_address: begin to do Local address assignment
Sep 3 10:08:32 authd_local_addr_assign- coming in
Sep 3 10:08:32 authd_lookup_astentry_by_sessionid: Coming in
Sep 3 10:08:32 authd_lookup_astentry_by_sessionid: existing
Sep 3 10:08:32 authd_local_addr_assign- found ast_entry 0xc92448
Sep 3 10:08:32 authd_local_addr_assign- beging to do subscriberLogin
Sep 3 10:08:32 Decoding incoming attributes
Sep 3 10:08:32 Subscriber attribute 17, length 5
Sep 3 10:08:32 Subscriber attribute 38, length 21
Sep 3 10:08:32 Subscriber attribute 10014, length 7
Sep 3 10:08:32 Subscriber attribute 77, length 14
Sep 3 10:08:32 Result have been returned with opcode=0, result=2


Step 6.   If the problem is still not resolved after completing the steps above, collect the information listed in KB21781- [SRX] Data Collection Checklist - Logs/data to collect for troubleshooting, along with the debugs captured above, and open a case with your technical support representative or with the RADIUS server vendor as appropriate.

Related Links: