Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 26 subscribers
  • Views 3232 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

STAS dropping users?

jkm005

Hi all

We are using STAS for authentication.

We have had to disable "match known users" from all fw rules, since XG apparently randomly drops usernames.

Below log show that user test@domain.net is logged on and everything will, until 09.41 when suddenly no username appears and fw rules would then deny access.

 

Time Log comp Action User name Firewall rule In interface Out interface Src IP Dst IP Src port Dst port Protocol Rule type
22-04-2020 09:46 Firewall Rule Allowed 34 Port4 Port1 10.81.235.117 10.81.234.120 55865 445 TCP 1
22-04-2020 09:45 Firewall Rule Allowed 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:41 Firewall Rule Allowed 41 Port4 Port1 10.81.235.117 10.81.234.123 53181 445 TCP 1
22-04-2020 09:40 Firewall Rule Allowed test@domain.net 40 Port4 Port1 10.81.235.117 10.81.234.104 51598 445 TCP 2
22-04-2020 09:40 Firewall Rule Allowed test@domain.net 34 Port4 Port1 10.81.235.117 10.81.234.120 51597 445 TCP 1
22-04-2020 09:34 Firewall Rule Allowed test@domain.net 40 Port4 Port1 10.81.235.117 10.81.234.104 51578 445 TCP 2
22-04-2020 09:34 Firewall Rule Allowed test@domain.net 34 Port4 Port1 10.81.235.117 10.81.234.120 51577 445 TCP 1

 

We see this for all users. No patterns. Not simultaneously. Sometimes STAS has to be disabled/re-enabled on XG to get users authenticated.

 

Anyone know what we may have misconfigured?

 

Thanks 



This thread was automatically locked due to age.
Parents
  • 0

    With problems like this I always start with the STAS logs as it's likely the log off event and message is being generated there (rather than the XG deciding to do that), in there you should see the reason if the user is being logged off and why then take it from there.

     

    Regards

  • 0 in reply to carbon15

    Thanks

    Not sure what to look for. Found this


    DEBUG [0x1df4] 22-04-2020 12:31:59 : dca_log_userinfo: User: test

    DEBUG [0x1df4] 22-04-2020 12:31:59 : dca_log_userinfo: Domain: domain.net

    DEBUG [0x1df4] 22-04-2020 12:31:59 : dca_log_userinfo: WrkstName: -

    DEBUG [0x1df4] 22-04-2020 12:31:59 : dca_log_userinfo: WrkstIP: 10.45.206.201

    DEBUG [0x1df4] 22-04-2020 12:31:59 : dca_log_userinfo: CreateTime: 1587551518

    DEBUG [0x1df4] 22-04-2020 12:31:59 : dca_log_userinfo: LogonType: 3

    DEBUG [0x1df4] 22-04-2020 12:31:59 : Adding user info to db and Sophos


    DEBUG [0x1df4] 22-04-2020 12:31:59 : dca_filter_by_username

    DEBUG [0x1df4] 22-04-2020 12:31:59 : userdb_handle_duplicate_userinfo: select query: SELECT * FROM UserInfo WHERE wrkst_ip=='10.45.206.201';

    DEBUG [0x1df4] 22-04-2020 12:31:59 : userdb_handle_duplicate_userinfo: User 'domain.net\test' found on '10.45.206.201'

    DEBUG [0x1df4] 22-04-2020 12:31:59 : userdb_handle_duplicate_userinfo: userinfo matched

    DEBUG [0x1df4] 22-04-2020 12:31:59 : userdb_insert_userinfo: matching userinfo found
    DEBUG [0x1df4] 22-04-2020 12:31:59 : dca_add_userinfo_dcaclient: DCA Client IO succeded

    DEBUG [0x1df4] 22-04-2020 12:31:59 : threadpool_finishnotify: Thread ID: 0x1df4

    DEBUG [0x1df4] 22-04-2020 12:31:59 : threadpool_finishnotify: Reset Event

    DEBUG [0x1aa0] 22-04-2020 12:32:01 : threadpool_run: Submitting Function 0x40a830

    DEBUG [0x1aa0] 22-04-2020 12:32:01 : threadpool_run: adding function at tail

    DEBUG [0x1aa0] 22-04-2020 12:32:01 : list_add_tail: first element added

    DEBUG [0x1aa0] 22-04-2020 12:32:01 : threadpool_run: get free thread: ThreadID: 0x83c

    DEBUG [0x1aa0] 22-04-2020 12:32:01 : dca_enqueue_userinfo: callback submitted

    DEBUG [0x1aa0] 22-04-2020 12:32:01 : process_event: userinfo enqueued to dca processor

    DEBUG [0x1aa0] 22-04-2020 12:32:01 : threadpool_run: Submitting Function 0x40a830

    DEBUG [0x1aa0] 22-04-2020 12:32:01 : threadpool_run: adding function at tail

    DEBUG [0x1aa0] 22-04-2020 12:32:01 : threadpool_run: get free thread: ThreadID: 0x1df4

    DEBUG [0x1aa0] 22-04-2020 12:32:01 : dca_enqueue_userinfo: callback submitted

    DEBUG [0x1aa0] 22-04-2020 12:32:01 : process_event: userinfo enqueued to dca processor

     

    And the a couple of minutes later:

     

     

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_select_expired_userinfo: --- SELECTED USER INFO FOR LOGOFF DETECTION ---

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_log_userinfo: RowID: 109254

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_log_userinfo: User: test

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_log_userinfo: Domain: domain.net

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_log_userinfo: Group: NULL

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_log_userinfo: SourceDC: NULL

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_log_userinfo: WrkstName: -

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_log_userinfo: WrkstIP: 10.45.206.201

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_log_userinfo: CreateTime: 1587551483

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_log_userinfo: ExpireTime: 0

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_log_userinfo: LogonType: 0x3

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_log_userinfo: UserSidType: 0x0

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_select_expired_userinfo: -----------------------------------------------

Reply
  • 0 in reply to carbon15

    Thanks

    Not sure what to look for. Found this


    DEBUG [0x1df4] 22-04-2020 12:31:59 : dca_log_userinfo: User: test

    DEBUG [0x1df4] 22-04-2020 12:31:59 : dca_log_userinfo: Domain: domain.net

    DEBUG [0x1df4] 22-04-2020 12:31:59 : dca_log_userinfo: WrkstName: -

    DEBUG [0x1df4] 22-04-2020 12:31:59 : dca_log_userinfo: WrkstIP: 10.45.206.201

    DEBUG [0x1df4] 22-04-2020 12:31:59 : dca_log_userinfo: CreateTime: 1587551518

    DEBUG [0x1df4] 22-04-2020 12:31:59 : dca_log_userinfo: LogonType: 3

    DEBUG [0x1df4] 22-04-2020 12:31:59 : Adding user info to db and Sophos


    DEBUG [0x1df4] 22-04-2020 12:31:59 : dca_filter_by_username

    DEBUG [0x1df4] 22-04-2020 12:31:59 : userdb_handle_duplicate_userinfo: select query: SELECT * FROM UserInfo WHERE wrkst_ip=='10.45.206.201';

    DEBUG [0x1df4] 22-04-2020 12:31:59 : userdb_handle_duplicate_userinfo: User 'domain.net\test' found on '10.45.206.201'

    DEBUG [0x1df4] 22-04-2020 12:31:59 : userdb_handle_duplicate_userinfo: userinfo matched

    DEBUG [0x1df4] 22-04-2020 12:31:59 : userdb_insert_userinfo: matching userinfo found
    DEBUG [0x1df4] 22-04-2020 12:31:59 : dca_add_userinfo_dcaclient: DCA Client IO succeded

    DEBUG [0x1df4] 22-04-2020 12:31:59 : threadpool_finishnotify: Thread ID: 0x1df4

    DEBUG [0x1df4] 22-04-2020 12:31:59 : threadpool_finishnotify: Reset Event

    DEBUG [0x1aa0] 22-04-2020 12:32:01 : threadpool_run: Submitting Function 0x40a830

    DEBUG [0x1aa0] 22-04-2020 12:32:01 : threadpool_run: adding function at tail

    DEBUG [0x1aa0] 22-04-2020 12:32:01 : list_add_tail: first element added

    DEBUG [0x1aa0] 22-04-2020 12:32:01 : threadpool_run: get free thread: ThreadID: 0x83c

    DEBUG [0x1aa0] 22-04-2020 12:32:01 : dca_enqueue_userinfo: callback submitted

    DEBUG [0x1aa0] 22-04-2020 12:32:01 : process_event: userinfo enqueued to dca processor

    DEBUG [0x1aa0] 22-04-2020 12:32:01 : threadpool_run: Submitting Function 0x40a830

    DEBUG [0x1aa0] 22-04-2020 12:32:01 : threadpool_run: adding function at tail

    DEBUG [0x1aa0] 22-04-2020 12:32:01 : threadpool_run: get free thread: ThreadID: 0x1df4

    DEBUG [0x1aa0] 22-04-2020 12:32:01 : dca_enqueue_userinfo: callback submitted

    DEBUG [0x1aa0] 22-04-2020 12:32:01 : process_event: userinfo enqueued to dca processor

     

    And the a couple of minutes later:

     

     

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_select_expired_userinfo: --- SELECTED USER INFO FOR LOGOFF DETECTION ---

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_log_userinfo: RowID: 109254

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_log_userinfo: User: test

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_log_userinfo: Domain: domain.net

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_log_userinfo: Group: NULL

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_log_userinfo: SourceDC: NULL

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_log_userinfo: WrkstName: -

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_log_userinfo: WrkstIP: 10.45.206.201

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_log_userinfo: CreateTime: 1587551483

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_log_userinfo: ExpireTime: 0

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_log_userinfo: LogonType: 0x3

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_log_userinfo: UserSidType: 0x0

    DEBUG [0xebc] 22-04-2020 12:33:51 : userdb_select_expired_userinfo: -----------------------------------------------

Children
No Data