I have to keep re-logging into firewalls



  • Hi,

    I have two firewalls setup in a carp formation.  As a result, when I am doing package management, or need to compare settings, I will have two tabs on my web browser:one for each firewall.

    Once I updated to 2.1.4, when I switch between tabs, I have to login to that firewall again.  Even if a mere 10 seconds passes.  It's as if the session management is clobbering one-another.  The act of logging into firewall A breaks the login on the other tab for firewall B.  The system logs on both firewalls show each successful login, but don't have anything when the login is apparently broken.

    It's making me a bit crazy.  Is there a fix for this?

    Browser is chrome, safari, and firefox, on two separate macintoshes.

    –jason


  • Rebel Alliance Developer Netgate

    Are you sure you are connecting to the firewall directly and not to a CARP VIP?

    Are the CARP VIPs swapping status back and forth? Anything in the system logs?

    The two nodes can't affect each others' GUI sessions, so unless you're getting bounced between them somehow nothing obvious comes to mind as to why it would repeatedly timeout.

    One other remote possibility could be if you have a broken GUI certificate and it's set to use HTTPS but actually using HTTP. The cookie would be set secure only and wouldn't work if the browser was using HTTP, though typically it doesn't present quite like that.



  • Hi!

    I am using the lan ip addresses, and not the Carp ips.  There may be another wrinkle, but it's never been an issue before: I am using ssh port-forwarding to connect through the firewalls from the internet.  I will go to the colo today and test this when connected directly to the lan.

    ssh workhorse -L9443:192.168.50.11:443 -L8443:192.168.50.12:443
    

    The carp ip address is 192.168.50.1.

    The two tabs I am using on the web browser are: https://localhost:9443 and https://localhost:8443.

    Ah: here we are

    Jul  9 00:54:39 colo-fw1 lighttpd[25341]: (connections.c.305) SSL: 1 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request 
    Jul  9 00:54:39 colo-fw1 lighttpd[25341]: (connections.c.305) SSL: 1 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request 
    Jul  9 00:54:39 colo-fw1 lighttpd[25341]: (connections.c.305) SSL: 1 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request 
    
    

    –jason



  • And: i see the sticky topic about bad webgui ssl certificates.  I will look into that as well.

    –jason



  • Hello,

    I managed to get to the colo recently and tested on the same lan: I was able to remain logged in to both tabs, so it appears to be something with ssh port forwarding.  I will dig into it some more and get back to you.

    BTW: I have not done anything about the potential bad webgui ssl certificates…

    --jason