Opengate Error Check
As opengate interacts with many software, it is diffcult to recognize the behavior. Then this memo is prepared to assist debug.
When error occured, check the stand alone action of each related software. Especially setting of ipfw is difficult and affects to many sides. At first, debug with ipfw fully open state. Then close it little by little.
Opengate uses following files, where the directorys are default. Is these files correctly settled.
/usr/local/www/cgi-bin/opengate/opengatesrv.cgi
/usr/local/www/data/index.html.*
/usr/local/www/data/opengate/Opengate.class
/usr/local/www/data/opengate/OpengateClient.class
/usr/local/www/data/opengate/*/index.html
/usr/local/www/data/opengate/*/index-ssl.html
/usr/local/www/data/opengate/*/accept.html
/usr/local/www/data/opengate/*/accept2.html
/usr/local/www/data/opengate/*/deny.html
/etc/opengatesrv.conf
/etc/opengatefw.pl
/var/log/opengate.log
And Opengate creates a lock file [/tmp/opengate.lock] at execution.
It can be removed.
Please understand the basic flow of the system by reading the description of system flow.
Following are the checking list for debugging.
- Japanese characters in html and java files cannot be understood.
- Html sample files in English are saved in sub directory. Java messages are described in program comments.
- Compiler tells the lack of librarys or headers.
- Opengate after Ver.0.56 can be compiled on FreeBSD Ver.4.1.
- Cannot redirect web access to gateway machine.
- Opengatesrv.cgi is not yet loaded in this moment.
- Try to access opengate URL directly. If no response is returned, check the setting of Apache and HTML document directory. Check the Apache access log and Apache error log.
- Check default directory of Apache document. It may be different to this document.
- Check ipfw setting. Rule number of foward command must be larger than opengate rule numbers.
- If error occurs only when accessing sub page(not top page), [PageNotFound] setting in Apache httpd.conf may not be correct.
- In Microsoft Internet Explorer 5 or later, redirection to a page at [PageNotFound] cannot be done, when the size of the page is less than 512Bytes. Try to increase the size of the top page file larger than 512Bytes by adding space chacters. Reference http://support.microsoft.com/default.aspx?scid=kb;EN-US;q218155.
- Does the web access pass through the gateway? Only the packet passing through the gateway is redirected.
- Try to access by IP address. If domain name is not recognized, check the DNS setting.
- The top page cannot be settled under SSL.
- Cannot jump to authentication page.
- Many ADDRESS descriptions in HTML files must be changed to your site.
- Try manual jump. If sccess, check jump description of html.
- Try non SSL setting. If success, check about SSL.
- URL in authentication page must be described with full/absolute pass.
- No reply or error reply to posting userID and password.
- At this moment, [opengatesrv.cgi] is loaded.
- The authentication page cannot be the top page. Set up some top page from which authentication page is jumped.
- Check processes by [ps ax]. If [opengatesrv.cgi] is not loaded, check the directory of CGI and URL description in html file. Check Apache setting about CGI enable and CGI directory.
- If [opengatesrv.cgi] is loaded, check [/var/log/opengate.log]. Set [#define DEBUG 1] in [opengatesrv.h] for debug output to syslog.
- Check the firewall rule for the accessed terminal by entering [ipfw list]. Ipfw command requires root permission. Check [opengatesrv.cgi] has root permission.
- Check [opengatesrv.h] and [Makefile]. Does the settings match to the positions of files?
- Check applet insertion mark in [accept.html]. Does it match to the [#DEFINE] in [opengatesrv.h]?
- Check setting of web browser. Is Java Enabled?
- Check with other web browsers or other OSs. Error may be caused by browser's bug.
- Check the directory of Java Applet. Does it recognized by web server? Does the Java Applet run normally.
- Change the host description in [opengatesrv.conf] from domain name to IP address. If success, an error may occur in the name resolution.
- Access is rejected, even though I send correct password.
- Check [/var/log/opengate.log].
- Check [opengatesrv.conf]. Is the setting correct? The file must ended with return key.
- Try to access from gateway console to the authentication server. Does the server reply normally?
- Opengate assumes that the welcome message of authentication server(POP/FTP) is only one line. If the server puts out multiple lines, change the server setting or the routine in opengatesrv.
- If the client is already opened, the request form same client is rejected. Check the firewall state by accessing outside. At mulfunction of JavaApplet, the server side program waits for Java Applet connection, and closes firewall after fixed duration.
- The accept page is displayed and the network is opened. But the network is closed after a while.
- If userID is not shown in the yellow frame layouted in the page, Java Applet loading might be failed. Check the setting relating Java. Standard instalation of Netscape6 and InternetExplorer6 does not include JavaVM. At accessing Java page, download of JavaVM is requested. Please follow the messages. If it does not work, try other browser or other version. Some browser in some version cannot run Java Applet well. It might work after installation of SunJava2.
- If userID is shown, check message displayed by Java Applet. It might be caused by following.
(1)No connection request comes from Java Applet. (2)No reply to hello message comes from Java Applet. (3)No packet from/to the terminal is passed through the gateway for a while. (4) Java Applet is terminated by unknown cause. (5)Server process is terminated by unknown cause.
- At no connection from Java Applet, the network is closed in the following cases. (1)The duration entered in auth page is passed. (2)No packet from/to the terminal is passed through the gateway for a while. (3)Arp command replys the different MAC address. (4)The TERMINATE link in accept page is clicked.
- Check above notes relating Java. Check network state with [netstat] or other tools. Check message displayed on web browser.
- If address translation system such as NAT or Proxy is inserted between the terminal and the gateway, opengate cannot work normally.
- Check [/var/log/opengate.log].
- Accept page may be not normal.
- In normal state, 2pages are displayed. In the first page, java Applet layouts yellow frame and shows user ID. In the second page, some links and cautions are displayed.
- If the yellow frame is not shown, Java Applet might not work normally. Check the items above.
- Second page is started by JavaScript. Check the javaScript setting at mulfunction. The second page exists only for convenience and is not needed for network control. If the window.open is denied only by Internet Explorer, the setting of the browser might corrupt. Reffer http://support.microsoft.com/support/kb/articles/q180/1/76.asp It is occured in IE6 also.
- The network is opened without authentication.
- Check the application in client(terminal) machine. Is the web browser really terminated? For example,in MacOS, application can be resident in hidden state. In some OS, the application is resident forever. In this case, Java Applet is needed to modify such as adding close button.
- When the network is cut off or the terminal system is suddenly terminated, TCP close signal cannot be sent to gateway. Thus detection is delayed until next message exchange.
- When ipfw rule is failed to remove by unknown cause, permanently open state is occured. In such case, remove the rule manually or reboot the system.
- Accept page is displayed, but the network is closed.
- Check ipfw rule with command [ipfw list]. Is the rule sequence correct?
- Check [/var/log/opengate.log].
- If redirect page does not include [NoCache] setting, the cached page is loaded responding to the another access. For example, if yahoo access is redirected to the opengate page, another yahoo access loads the cached opengate page, even if the network is opened.
- I sent correct password, but denied.
- Check the authentication server by sending request from console.
- Check the description in opengatesrv.conf, radius.conf and pam.conf.
- Check [/var/log/opengate.log].
- Displayed page is not my desired language.
- Check index.html, its directory and Makefile. These language IDs must be same The ID is case sensitive and is two bytes length.
- If you want to add new language, add new directory and files. Then add its ID in makefile.
- Network troubles increased after the installation of this soft.
Please use latter versions. Do not use before Ver.0.54 which includes a serious bug.
- Sometimes, there are very long response time (60sec or more) for authentication request.
Please discover the part waisting long time. We experienced following case. The setting "HostnameLookups" in httpd.conf is "On", and DNS servers do not have sufficient informations about clients. Then, very long time is wasted in name lookup. The trouble is canceled by setting the above switch "Off".
- All is checked. I cannot know what to do.
- Set [#define DEBUG 1] in [opengatesrv.h]. Program tracing is put out in syslog.
- Insert [err_msg()] in proper place in the program to get debug print. The function put out message to syslog. The sample usage exists in the program. Format is same as [printf()].