we recently started using pritunl-zero for all out internal service including monitoring and logging such as kibana and so on, recently after adding some services and number of people increased that require to use this service, there are some peoples who requires login each and every step.
for example there if visiting example.com it ask logging which is expected then when user click on search it ask login, when user click or submit any form it ask login.
basically whenever user is doing refresh in browser its asking logging. user session logging time is set to 120 minutes, server cpu and memory are stable, even in logs section there are no specific logs.
here is what i am seeing when i go to user and see current session there are no current session but its keep ending…
I have faced this issue a while back. It automatically got fixed for some users. I tried to delete and recreate the same user, but not working. It works for a while (2-5 min) and again asks for the google oauth again and again. Can you help me with this.
Verify Share session with subdomains is enabled in the service settings. Then test with CSRF check disabled and Permit unauthenticated options requests enabled.
but how is it possible that without any changes suddenly this issue started, like we faced that in existing services that users are already using since 4-5 days but yesterday all of sudden this issue started not before that plus not for all users there are few people that have this issue. Still i will enable this settings but I would like to get better understanding of this, because when it started our most of services become unusable and we had to allow entire CIDR so pritunl-zero dont be block for work.
when i check user session of users who having this issue there is ip in that user session i am seeing two ip’s are used for connection and when i check logs it was saying web-socket error
401 is also there but its because user session is ended and now user is trying to access web service so it giving above error i have made all changes as you mentioned previously but still same error.
Open the Nodes tab and check the running version. If it is v1.0.3265.55 or later this may be caused by changes to the WebSocket code. Try disabling the Allow WebSockets option in the service settings.
it solved issue for service that doesnt need websocket connection, still there are services that require web-socket connection and when i disabled for them it gave error so is it possible to resolve this also? or should we need to remove pritunl-zero for such services?
every thing is as you mentioned still there are lots of logs we are getting related to web-socket.
can you help us resolve this. This is most likely causing some users to keep asking for login when they click on button that refresh browser they… or manually they refresh browser
Are you referring to issues where the Pritunl Zero login session is lost or the login session on the internal service is lost? Those errors seem to indicate the internal service is return a 401 access denied.
yes so some times randomly mostly during rush hours when all of our services are being used frequently then some users are not being able to create session properly and next day it happens to other users not same, what exactly happening:
“i am opening jenkins it ask for login then i am logged in with jenkins now i am clicking on one job and clicking on build so basically this requires to refresh browser i mean new page requires loading so then i am being asked to logging again, else sometimes when i open kibana and logged in i am inside kibana and all resources there are not visible, then when i click on refresh it again ask me to logging and it is happening again and again.”
If it’s not the Pritunl Zero login then it’s an issue with the internal service session. It may be an issue with the browser cookie settings blocking third-party cookies. Also in the service settings add the Host field to the External Domains, this should be set to the domain that the internal service would expect when accessing the web service. Using HTTPS with an IP address for the Internal Servers may also be required.
here while i have mentioned multiple login attempt i was referring pritunl-zero google authentication, our internal service is not blocking anything. And mainly it happens randomly, before using pritunl-zero as proxy all services were running so its 100% related to session that is being created for users, i particularly checked by going to user section and checking if session is established or not for people who is facing this issue so there were no active session and even if they try to connect session is getting created but only for few mins or even seconds then again they have to logging.
i dont know if i can share video to explain it properly…
Open the Chrome Developer Tools and in the Network tab watch the Cookie value on the requests. It’s possible the pritunl-zero cookie is being replaced or removed by the internal service. Check for requests that do not contain the cookie.
