Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 16522 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

disconnected webserver sessions

MartinTol
I have a problem with the UTM9 Firmware 9.350-12 Pattern version:  90082

We have created a web portal, but users are being disconnected a lot. In the log i'm seeing several errors.

I'm seeing different type of errors in the web application log.
Web Application Firewall Log

Crypto errors
2015:10:28-08:13:27 sophos-2 reverseproxy: [Wed Oct 28 08:13:27.856555 2015] [session_crypto:error] [pid 14651:tid 3853646704] (100006)Error string not specified yet: [client x.x.x.x:50007] AH01842: decrypt session failed, wrong passphrase?, referer: https://domainname.com/suite
2015:10:28-08:13:27 sophos-2 reverseproxy: [Wed Oct 28 08:13:27.857729 2015] [session:error] [pid 14651:tid 3853646704] (100006)Error string not specified yet: [client x.x.x.x:50007] AH01817: error while decoding the session, session not loaded: /Suite/Management/PaymentOptimization, referer: https://domainname.com/suite

Timeout check failed
2015:10:28-07:46:55 sophos-2 reverseproxy: [Wed Oct 28 07:46:55.721498 2015] [authnz_aua:error] [pid 14651:tid 3744541552] [client x.x.x.x:52787] [user.leo] timeout check failed, referer: https://domainname.com/suite

PROXY Errors
2015:10:28-12:26:57 sophos-1 reverseproxy: [Wed Oct 28 12:26:57.000519 2015] [mpm_worker:warn] [pid 5725:tid 4147898048] AH00291: long lost child came home! (pid 5727)
2015:10:28-12:26:57 sophos-1 reverseproxy: [Wed Oct 28 12:26:57.000555 2015] [mpm_worker:warn] [pid 5725:tid 4147898048] AH00291: long lost child came home! (pid 5729)
2015:10:28-12:27:02 sophos-1 reverseproxy: [Wed Oct 28 12:27:02.543673 2015] [proxy:error] [pid 6683:tid 4038753136] (113)No route to host: AH00957: HTTP: attempt to connect to x.x.x.x:80 (x.x.x.x) failed
2015:10:28-12:27:02 sophos-1 reverseproxy: [Wed Oct 28 12:27:02.543732 2015] [proxy:error] [pid 6683:tid 4038753136] AH00959: ap_proxy_connect_backend disabling worker for (x.x.x.x) for 60s
2015:10:28-12:27:02 sophos-1 reverseproxy: [Wed Oct 28 12:27:02.543747 2015] [proxy_http:error] [pid 6683:tid 4038753136] [client x.x.x.x:62001] AH01114: HTTP: failed to make connection to backend: x.x.x.x
2015:10:28-12:27:02 sophos-1 reverseproxy: [Wed Oct 28 12:27:02.544382 2015] [proxy:error] [pid 7137:tid 3728223088] (113)No route to host: AH00957: HTTP: attempt to connect to x.x.x.x:80 (x.x.x.x) failed
2015:10:28-12:27:02 sophos-1 reverseproxy: [Wed Oct 28 12:27:02.544436 2015] [proxy_http:error] [pid 7137:tid 3728223088] [client x.x.x.x:53066] AH01114: HTTP: failed to make connection to backend: x.x.x.x


This thread was automatically locked due to age.
  • 0
    Hi, and welcome to the User BB!

    I don't know that any one of the lines you showed is anything other than the UTM just being "chatty" about what's happening.  Let your colleagues know that they need to note the EXACT time when they're disconnected.  In addition to the WAF log, you will also want to check those mentioned in #1 in Rulz.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi BAlfson, Thanks for your reply.
    The disconnect was noticed at 9:53:??
    I have cleared all the log lines from the other web application and other users. 
    The top line seems to be the last action off the user, the bottom line is the new login.
    Maybe I can get an even cleaner log tomorrow.

    2015:10:29-09:53:14 sophos-1 reverseproxy: id="0299" srcip="***.***.***.***" localip="***.***.***.163" size="0" user="username" host="***.***.***.***" method="GET" statuscode="304" reason="-" extra="-" exceptions="-" time="33737" url="/Suite/DXR.axd" server="server.domain.com" referer="server.domain.com/.../; secure"
    2015:10:29-09:53:26 sophos-1 reverseproxy: [Thu Oct 29 09:53:26.865957 2015] [session_crypto:error] [pid 30757:tid 1536203632] (100006)Error string not specified yet: [client ***.***.***.***:53397] AH01842: decrypt session failed, wrong passphrase?, referer: https://server.domain.com/Suite/Licenses/List/All
    2015:10:29-09:53:26 sophos-1 reverseproxy: [Thu Oct 29 09:53:26.873813 2015] [session_crypto:error] [pid 30757:tid 1487874928] (100006)Error string not specified yet: [client ***.***.***.***:53398] AH01842: decrypt session failed, wrong passphrase?, referer: [url]
  • 0
    This is purely a WAG...  Have you already tried selecting 'Rewrite HTML' and/or 'Pass host header' in the 'Advanced' section of the Virtual Server for this?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Pass host header is on, rewrite html is of. We will test with the rewrite html option on.
  • 0 in reply to MartinTol
    Rewrite HTML seemed to make the site a little faster. unfortunately after 30 minutes I was disconnected again. Intrusion Prevention, Advanced Threat Protection and Application control are turned off. I could not find any errors in the other logs. the only errors I find are in the WAF as posted earlier.
  • 0

    Hi there,

    same Problem with 9.400-9! We are publishing a SharePoint site via WAF, in previous versions we did not get this error. Seems to occur more often on Firefox than on IE users.

    2016:03:31-10:11:13 XXXXXX reverseproxy: [Thu Mar 31 10:11:13.428843 2016] [session_crypto:error] [pid 6387:tid 4055317360] (100006)Error string not specified yet: [client IP50465] AH01842: decrypt session failed, wrong passphrase?, referer: www.HOSTNAME/.../start.aspx

     

    2016:03:31-10:11:13 XXXXXX reverseproxy: [Thu Mar 31 10:11:13.429010 2016] [session_server:error] [pid 6387:tid 4055317360] (100006)Error string not specified yet: [client IP50465] AH01817: error while decoding the session, session not loaded: /_layouts/15/mquery.js, referer: www.HOSTNAME/.../start.aspx

     

    2016:03:31-10:11:13 XXXXXX reverseproxy: [Thu Mar 31 10:11:13.429091 2016] [session_crypto:error] [pid 6387:tid 4080495472] (100006)Error string not specified yet: [client IP50467] AH01842: decrypt session failed, wrong passphrase?, referer: www.HOSTNAME/.../start.aspx

     

    2016:03:31-10:11:13 XXXXXX reverseproxy: [Thu Mar 31 10:11:13.429114 2016] [session_server:error] [pid 6387:tid 4080495472] (100006)Error string not specified yet: [client IP50467] AH01817: error while decoding the session, session not loaded: /_layouts/15/1031/images/formatmap16x16.png, referer: www.HOSTNAME/.../start.aspx

     

    2016:03:31-10:11:13 XXXXXX reverseproxy: [Thu Mar 31 10:11:13.429283 2016] [session:error] [pid 6387:tid 4055317360] (2)No such file or directory: [client IP50465] AH01822: error while saving the session, session not saved: /_layouts/15/mquery.js, referer: www.HOSTNAME/.../start.aspx

    Christian

Unfiltered HTML