Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 29 subscribers
  • Views 30145 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

STAS user disconnect after 2 minutes

Tam Ben-Jusu

I have a Windows AD domain with 1 domain controller.

I have an AD user that logs in, appears in STAS and has WAN access. Within 2 minutes that user is disconnected and drops out of Show Live Users.

The XG230 shows a successful log-out of that user even when they haven't log out.

The user then gets presented with the Captive Portal.

All tests to the client from the STAS are successful, WMI polling, pinging, etc (The firewall is off on the clients).

All tests between the Sophos Agent and Collector are successful (they are on the same domain controller)

All test between the Collector and the XG230 are successful.

Has anyone else experienced this?

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi

    Can you check if you Enabled User Inactivity in "Sophos Transparent Authentication Suite Setting" ?

    There are "Terminal Servers" that are not specified into IP Exception in Sophos STAS Suite?

    When you see log-out of that users on "Current Activities" from "Monitor & Analyze" what you see in "Show Live Users" in STAS Suite?

    Can you check UDP 6060 on DC where STAS is Installed?

    STAS service account is member of "Domani Admins" or member of group that can run "remote WMI request"?

  • 0 in reply to GabrieleD

    Apologies...

    The STAS service account is a member of the domain admins group and can run WMI requests.

    When I run WMI commands (below) from the DC it reports back the correct user name that is logged into the client.

    C:\WINDOWS>wmic
    wmic:root\cli>/user: DOMAIN\administrator
    Enter the password :********

    wmic:root\cli>/node: 192.168.1.10
    wmic:root\cli>computersystem get username /value

    UserName=DOMAIN\testuser
    wmic:root\cli

     

  • 0 in reply to Tam Ben-Jusu

    Same IP address of Terminal Server must be present in: Logon and Logoff IP Address / network mask  exclusion Lists...

  • 0 in reply to GabrieleD

    Thanks GabrieleD...

    I added the IP address of the Terminal Server to the Log Off exclusion list but the disconnect problem continues.

    Is there anything I could check on the switches?

    Many thanks again

  • 0 in reply to GabrieleD

    That's a great spot, Gabriele...

    The XG is not sync'd to a NTP (which I will do now) but it and the DC are less than a minute out. 

    So, no kerberos errors.

  • 0 in reply to Tam Ben-Jusu

    Mathew, when you see logged users, can you check if:

    1. The users appear in STAS ( Advanced -> Show Live Users)

    2. Same users are present in Firewall (Monitor/Analyze -> Current Activities -> Live USers)

    When users disappear can you chek 1. and 2. above?

    Can you check settings in your Firewall: Authentication -> Servers  (Display Name Attribute [my case = name] and Email Address Attribute [my case = mail] ); trivial question: is Test AD Connection  OK?

     

    Can you uninstall STAS Suite, then reboot DC and than Install STAS Suite specifying  same service user account of "first installation".

  • 0 in reply to GabrieleD

    Thanks again Gabriele,

    1. The users sometimes appear in Show Live Users and then disappear as they get disconnected.

    Sometimes they do not appear in Show Live Users at all.

    Sometimes they appear in STAS logs but not in Show Live Users.

    It is completely random!

     

    2. If the user appears in Show Live Users then they also appear in Current Activities -> Live Users on the XG

    When they get disconnected they disappear from 'Show Live Users' and 'Current Activities > Live Users' and the XG Log Viewer shows that they have 'Logged off Successfully'.

     

    3. The Display Name Attribute and  Email Address Attribute are the same as yours and Test Connection to the DC is successful.

  • 0 in reply to GabrieleD

    I have uninstalled and reinstalled STAS with the same domain admin account. The problem persists.

    In fact, as I write this reply to you, I was disconnected (and presented with the Captive Portal) for no reason that I can see!

Reply Children
  • 0 in reply to Tam Ben-Jusu

    Very strange!

    Have you rebooted DC?

    Workstation Polling Method is WMI?

    If "Enable Logoff Detection" is checked -> Can you change "default logoff detection interval" in STAS from 600 seconds to 1800 sec; dead entry timeout to 0.

  • 0 in reply to GabrieleD

    I have tried both WMI Polling and  Registry Read method for log off detection.

    Problem persists. I had a user logged in and authenticated with STAS. I left the client pinging an external IP address and within a few minutes the user was logged out.

    The username disappeared from STAS and was listed on the XG as a 'successful log out'.

    I will change log off detection interval and dead entry time out.

  • 0 in reply to Tam Ben-Jusu

    Open a support ticket.... I finished all my cartridges!

  • 0 in reply to GabrieleD

    hahahahaha... many thanks Gabriele.. you've had great suggestions..

    I opened a ticket weeks ago, had 1 phone call and now nothing... 

    I have found SO many complaints about this on the message boards.

    Some say it is to do with Remote Desktop sessions appearing to the XG as local logon sessions.. some say it is services running with administrator privileges (so that the XG thinks the user has logged off and an administrator has logged on) and some say that WMI Polling doesn't work...

    To my favourite which just says - 'STAS logoff detection simply doesn´t work'

    Many thanks again for all of your help.

  • 0 in reply to Tam Ben-Jusu

    This issue also affects myself and my customers. Logging this and several other issues and Sophos just say its a configuration issue and we need to pay for their Professional Services