STAS user disconnect after 2 minutes

Hi

Can you check if you Enabled User Inactivity in "Sophos Transparent Authentication Suite Setting" ?

There are "Terminal Servers" that are not specified into IP Exception in Sophos STAS Suite?

When you see log-out of that users on "Current Activities" from "Monitor & Analyze" what you see in "Show Live Users" in STAS Suite?

Can you check UDP 6060 on DC where STAS is Installed?

STAS service account is member of "Domani Admins" or member of group that can run "remote WMI request"?

Thank you, GabrieleD...

In STAS 'Enable Log Off Detection' is enabled. I have tried with 'WMI Polling' and 'Ping'. Dead entry timeout was disabled (set to 0) and is now set to 10hours.

I have 1 Terminal Server and it's IP address is set as an Exclusion in STAS. 

When the XG log shows the user as logged-out the user also disappears from STAS "Show Live Users".

A tcpdump 'port 6060' command on the XG shows traffic IN & OUT between the XG and the DC.

Many thanks again for your help.

Apologies...

The STAS service account is a member of the domain admins group and can run WMI requests.

When I run WMI commands (below) from the DC it reports back the correct user name that is logged into the client.

C:\WINDOWS>wmic
wmic:root\cli>/user: DOMAIN\administrator
Enter the password :********

wmic:root\cli>/node: 192.168.1.10
wmic:root\cli>computersystem get username /value

UserName=DOMAIN\testuser
wmic:root\cli

Same IP address of Terminal Server must be present in: Logon and Logoff IP Address / network mask  exclusion Lists...

Thanks GabrieleD...

I added the IP address of the Terminal Server to the Log Off exclusion list but the disconnect problem continues.

Is there anything I could check on the switches?

Many thanks again

Firewall and DC are sync with NTP ?

See: https://community.sophos.com/products/xg-firewall/f/authentication/100474/stas-test-connectivity-with-collector-is-failing 

That's a great spot, Gabriele...

The XG is not sync'd to a NTP (which I will do now) but it and the DC are less than a minute out. 

So, no kerberos errors.

Mathew, when you see logged users, can you check if:

1. The users appear in STAS ( Advanced -> Show Live Users)

2. Same users are present in Firewall (Monitor/Analyze -> Current Activities -> Live USers)

When users disappear can you chek 1. and 2. above?

Can you check settings in your Firewall: Authentication -> Servers  (Display Name Attribute [my case = name] and Email Address Attribute [my case = mail] ); trivial question: is Test AD Connection  OK?

Can you uninstall STAS Suite, then reboot DC and than Install STAS Suite specifying  same service user account of "first installation".

Thanks again Gabriele,

1. The users sometimes appear in Show Live Users and then disappear as they get disconnected.

Sometimes they do not appear in Show Live Users at all.

Sometimes they appear in STAS logs but not in Show Live Users.

It is completely random!

2. If the user appears in Show Live Users then they also appear in Current Activities -> Live Users on the XG

When they get disconnected they disappear from 'Show Live Users' and 'Current Activities > Live Users' and the XG Log Viewer shows that they have 'Logged off Successfully'.

3. The Display Name Attribute and  Email Address Attribute are the same as yours and Test Connection to the DC is successful.

I have uninstalled and reinstalled STAS with the same domain admin account. The problem persists.

In fact, as I write this reply to you, I was disconnected (and presented with the Captive Portal) for no reason that I can see!