提示
X
本案例来自tskb,请前往tskb修改源内容:立即前往
'>

进阶排查-步骤五:客户端侧日志检查&服务端SPA日志检查

|

问题描述

客户端侧日志检查&服务端SPA日志检查

解决方案

1、收集客户端日志,方法参考
http://tskb.sangfor.com/forum.php?mod=viewthread&tid=24891&is_note=1

2、可以通过aTrust客户端tunnel进程的以下日志查看触发式UDP敲门的信息:
[2022-04-12 10:50:40.724][ 5976: 9288][ info][aTrustTunnel][sangfor::Tun2Socks::socks_target_vpn_number:2110]Send trigger udp knock package, domain=www.wyxtest143.com, ip=199.200.2.143, knock port(first one)=443
推荐搜索关键字udp knock,还可以查看周期性UDP敲门等其他信息,如果没有相关关键字则说明客户端没有发起UDP敲门,尝试重新安装下客户,还未解决则联系研发进一步排查

3、收集SPA服务端日志
3.1  UDP SPA服务端日志:webconsole 执行 如下命令可以查看: tail f /hislog/log/sdpspad/sdp-spad.log,重点看fail相关,相关日志含义找研发明确

常见的SPA服务端异常日志如下:
# 客户端时间与服务端时间相差大于UDP SPA敲门误差时间
2022-03-27 23:06:51.343 INFO handle SPA Packet version:4, client ip:10.70.241.106, port:33519 err: check timestamp for spa packet failed, local 1648393611, remote 1648391798, time verify window 300s |spaserver|url=, traceid=045b1b7cd3002000, ip=

# 客户端使用的安全码在服务端不存在,可能原因是:安全码被管理员重置
2022-03-27 23:13:09.026 INFO handle SPA Packet version:4, client ip:10.70.241.106, port:44431 err: can't find spa seed for seed key [128 142 235 244 254 98 181 238 252 109 37 51 200 168 127 121 220 123 25 30 100 109 75 19 119 229 153 99 194 37 55 220], err:not find spa seed |spaserver|url=, traceid=045b1b7cd3002000, ip=

# 使用2.2.2版本之前的客户端,服务端开启一人一码
2022-03-27 23:20:27.644 INFO handle SPA Packet version:3, client ip:10.70.241.106, port:58896 err: can't find spa seed for seed key [], err:spaHash too small |spaserver|url=, traceid=045b1b7cd3002000, ip=

# 安全码已过期
2022-03-28 00:28:59.076 INFO handle SPA Packet version:4, client ip:10.70.241.106, port:60492 err: spa seed expire, seedInfo &{[119 65 76 84 54 68 104 78 74 85 0 0 0 0 0 0] 1648396799 c920b200-c1fa-11eb-a722-f75c93bbf330 wjb local /group1} |spaserver|url=, traceid=045b2e56ef002000, ip=


3.2服务端TCP SPA日志:
webconsole 执行 如下命令可以查看
portal及WEB应用的SPA日志:tail  -f  /hislog/log/nginx/sdp-proxy/error.log
隧道应用的SPA日志:tail -f  /hislog/log/nginx/sdp-tunnel/error.log
控制台接入的SPA日志:tail -f /hislog/log/nginx/sdp-nginx/error.log
常见的异常日志如下:

# SSL client hello包中未携带SPA扩展字段,可能原因:客户端未输入安全码、用户直接通过浏览器访问登录页面等等
2022/03/25 16:41:01 [warn] 3841#0: *211270 [lua] init.lua:149: ssl_certificate(): verify SPA in unique mode failed: no spa extension in SSL, connection will be closed, context: ssl_certificate_by_lua*, client: 172.22.73.26, server: 0.0.0.0:443


# SSL client hello包中携带了SPA扩展字段,但扩展字段中没有SPA hash,可能原因是:使用的是老的客户端
2022/03/25 16:41:01 [warn] 3841#0: *211270 [lua] init.lua:149: ssl_certificate(): verify SPA in unique mode failed: carried no spa hash in SSL, connection will be closed, context: ssl_certificate_by_lua*, client: 172.22.73.26, server: 0.0.0.0:443


# 客户端使用的安全码在服务端不存在,可能原因是:安全码被管理员重置
2022/03/26 14:31:43 [warn] 4526#0: *3435441 [lua] init.lua:172: ssl_certificate(): verify SPA in unique mode failed: found no spa key: 50b31ceb005a04e2f912ad64874a7b83126034100236fdf6b6b401ac2a72044b, connection will be closed, context: ssl_certificate_by_lua*, client: 172.22.73.26, server: 0.0.0.0:443

# 种子过期
2022/03/25 15:30:59 [warn] 3842#0: *47611 [lua] init.lua:186: ssl_certificate(): verify SPA in unique mode failed: spa seed expired, connection will be closed, SPA hash: ca8e16c79bd6f9646161b7787d71d6ac2d5413103f8b752e7775af5450ece3e6, user: daf dfad, group: /, context: ssl_certificate_by_lua*, client: 172.22.73.26, server: 0.0.0.0:443

# TOTP校验失败,可能原因是:客户端时间与服务端时间不一致、伪造攻击
2022/03/25 15:30:59 [warn] 3842#0: *47611 [lua] init.lua:186: ssl_certificate(): verify SPA in unique mode failed: verify SPA failed: match none totp, connection will be closed, SPA hash: ca8e16c79bd6f9646161b7787d71d6ac2d5413103f8b752e7775af5450ece3e6, user: daf dfad, group: /, context: ssl_certificate_by_lua*, client: 172.22.73.26, server: 0.0.0.0:443


3.3当UDP SPA或TCP SPA失败时,除了会记录系统日志外,也会记录审计日志:




操作影响范围

我要分享
文档编号: 214999
作者: admin
更新时间: 2023-01-05 17:29
适用版本: