Dual-WAN Absa bank issue

Peon

Expert Member
Joined
Sep 28, 2006
Messages
3,375
Hi

Im currently sitting with an interesting issue. I have a corporate client using a BiGuard 30 Lite Dual-WAN router with two desktop modems.

When anyone on the LAN attempts to login to the ABSA bank accounts over the internet, they get kicked out of the web page. Meaning they enter their details and security pin etc,etc but as soon as they hit ok they get kicked out.

Other bank sites work perfectly. Any ideas?
 

rurapente

Expert Member
Joined
Jan 4, 2009
Messages
2,521
MadMailMan probably has the answer.

You're load balancing the connection, or sending it out of two different source addresses to ABSA. Problem is the SSL connection is negotiated using the server IP u connect to and your IP. If you IP changes, or you connect to another server in their cluster (by initiating a request from another IP) the SSL session is broken.

Its either that, or, for security purposes they dont allow your IP to change in-session. Some banks used to do that and stopped it, maybe ABSA allow it. So if you're load-balancing your client's IP "changes" in session and hence you are logged out. Another bank I know did this for a long time but ran into troubles with client's when their lines would drop and re-connect.

[EDIT] I noticed though you say its as soon as they click ok to login they kicked out. So its possibly less likely that their initial IP is logged, and then found to change since they didnt do anything after that. Unless ABSA logs it on login and before they display your accounts your browser is doing another post-back and the IP changes. However given this I'm more inclined to think its an SSL issue cause you're coming from 2 source IPs and probably hitting two different destination web-servers.

I dont know the config on that device, but you need to make it either persistent for any SSL connection (port 443) to one outbound interface or if you can specify target addresses, make sure ABSA's banking url's are always hit from one modem, not load-balanced between them.
 
Last edited:

Peon

Expert Member
Joined
Sep 28, 2006
Messages
3,375
Hi Guys

@MailMan - I was load balancing the 2 connections but now its in single mode.

Going to hit it with a firmware update tomorrow. I was looking at the firmware relase notes and there were a truck load of bug fixes and improvements. Hmm going to rethink the SSL issue like you said Rurapente.

Thanks for the input guys, will let you know.
 

rurapente

Expert Member
Joined
Jan 4, 2009
Messages
2,521
pleasure.

load-balancing is fine, but check if the router can do it with persistence. So if a particular user opens a connection, and the router uses Modem A, until they close it, they use Modem A. The next user to open will use Modem B, but will stick to Modem B for his entire session to that web-server and so on. Rather than juggling every request.
 

iBurst

iBurst representative
Company Rep
Joined
Jan 12, 2005
Messages
1,440
rotocol binding needs to be set in the dual WAN section.


Create a rule for port 443 and bind it to WAN 1.


You cannot load balance a secure port connection like HTTPS.

That will sort out your issue.
 

Peon

Expert Member
Joined
Sep 28, 2006
Messages
3,375
Thanks for the info Shaun. This is the BiGuard 30 Lite Iburst supplied. Im currently attempting to set that rule up. Will let you guys know.
 

Peon

Expert Member
Joined
Sep 28, 2006
Messages
3,375
Bakgat. It was a SSL issue on Load-Balance of the 2 WAN's. Created a dedicated rule on WAN1 for HTTPS(443) and it worked.

Thanks again for the advice guys.
 

OoMk0o5i3

Well-Known Member
Joined
Nov 11, 2006
Messages
294
Rapidshare is another site that uses your IP for identification. Also some older versions of groupwise webaccess do not work with load balancing...
 
Top