User losing authentication

Hello Guys! Follow below the log of the STAS. The user that not work is paraujo, Ip connection 10.10.0.245. The Ip of the firewall is 10.10.0.220. We domain is emh.br.

DEBUG [0x144c] 24/08/2022 07:03:56 : dca_eventlog: got Kerberos authentication event

MSG [0x144c] 24/08/2022 07:03:56 : init_userinfo_kerberos: UserName: paraujo

MSG [0x144c] 24/08/2022 07:03:56 : init_userinfo_kerberos: DomainName: EMH_BH

MSG [0x144c] 24/08/2022 07:03:56 : init_userinfo_kerberos: IPv6 WorkstationIP: :

MSG [0x144c] 24/08/2022 07:03:56 : init_userinfo_kerberos: IPv4 WorkstationIP: 10.10.0.245

DEBUG [0x144c] 24/08/2022 07:03:56 : init_userinfo_common: Event ID: 4768

DEBUG [0x144c] 24/08/2022 07:03:56 : init_userinfo_common: EventType: AuditSuccess

DEBUG [0x144c] 24/08/2022 07:03:56 : init_userinfo_common: CreateTime: 1661335435

DEBUG [0x144c] 24/08/2022 07:03:56 : init_userinfo_common: ExpireTime: 1661336040

DEBUG [0x144c] 24/08/2022 07:03:56 : init_userinfo_common: LogonType: 2

DEBUG [0x144c] 24/08/2022 07:03:56 : threadpool_run: Submitting Function 0x40a830

DEBUG [0x144c] 24/08/2022 07:03:56 : threadpool_run: adding function at tail

DEBUG [0x144c] 24/08/2022 07:03:56 : list_add_tail: first element added

DEBUG [0x144c] 24/08/2022 07:03:56 : threadpool_run: get free thread: ThreadID: 0x1450

DEBUG [0x144c] 24/08/2022 07:03:56 : dca_enqueue_userinfo: callback submitted

DEBUG [0x144c] 24/08/2022 07:03:56 : dca_eventlog: userinfo enqueued to dca processor

DEBUG [0x144c] 24/08/2022 07:03:56 : dca_eventlog: got Kerberos authentication event

DEBUG [0x1450] 24/08/2022 07:03:56 : threadpool_threadproc: New Function added

MSG [0x144c] 24/08/2022 07:03:56 : init_userinfo_kerberos: UserName: paraujo

DEBUG [0x1450] 24/08/2022 07:03:56 : list_remove_head: last element removed

MSG [0x144c] 24/08/2022 07:03:56 : init_userinfo_kerberos: DomainName: EMH.BR

DEBUG [0x1450] 24/08/2022 07:03:56 : threadpool_get_threadproc: Function 0x40a830

MSG [0x144c] 24/08/2022 07:03:56 : init_userinfo_kerberos: IPv6 WorkstationIP: :

DEBUG [0x1450] 24/08/2022 07:03:56 : threadpool_threadproc: Executing Function 0x40a830

MSG [0x144c] 24/08/2022 07:03:56 : init_userinfo_kerberos: IPv4 WorkstationIP: 10.10.0.245

DEBUG [0x144c] 24/08/2022 07:03:56 : init_userinfo_common: Event ID: 4768

DEBUG [0x1450] 24/08/2022 07:03:56 : dca_log_userinfo: User: paraujo

DEBUG [0x144c] 24/08/2022 07:03:56 : init_userinfo_common: EventType: AuditSuccess

DEBUG [0x1450] 24/08/2022 07:03:56 : dca_log_userinfo: Domain: emh.br

DEBUG [0x144c] 24/08/2022 07:03:56 : init_userinfo_common: CreateTime: 1661335435

DEBUG [0x1450] 24/08/2022 07:03:56 : dca_log_userinfo: WrkstIP: 10.10.0.245

DEBUG [0x144c] 24/08/2022 07:03:56 : init_userinfo_common: ExpireTime: 1661336040

DEBUG [0x1450] 24/08/2022 07:03:56 : dca_log_userinfo: CreateTime: 1661335435

DEBUG [0x144c] 24/08/2022 07:03:56 : init_userinfo_common: LogonType: 2

DEBUG [0x1450] 24/08/2022 07:03:56 : dca_log_userinfo: ExpireTime: 1661336040

DEBUG [0x1450] 24/08/2022 07:03:56 : dca_log_userinfo: LogonType: 2

DEBUG [0x144c] 24/08/2022 07:03:56 : threadpool_run: Submitting Function 0x40a830

DEBUG [0x1450] 24/08/2022 07:03:56 : Adding user info to db and Sophos

DEBUG [0x144c] 24/08/2022 07:03:56 : threadpool_run: adding function at tail

DEBUG [0x1450] 24/08/2022 07:03:56 : dca_filter_by_username: comparing username for exclusion: User from UTM 'paraujo' (7) : User in the list 'SophosUpdateMgr' (15)

DEBUG [0x144c] 24/08/2022 07:03:56 : list_add_tail: first element added

DEBUG [0x1450] 24/08/2022 07:03:56 : dca_filter_by_username: comparing username for exclusion: User from UTM 'paraujo' (7) : User in the list 'svcsophos' (9)

DEBUG [0x144c] 24/08/2022 07:03:56 : threadpool_run: get free thread: ThreadID: 0x1454

DEBUG [0x1450] 24/08/2022 07:03:56 : dca_filter_by_username: comparing username for exclusion: User from UTM 'paraujo' (7) : User in the list 'treinamento' (11)

DEBUG [0x144c] 24/08/2022 07:03:56 : dca_enqueue_userinfo: callback submitted

DEBUG [0x1450] 24/08/2022 07:03:56 : dca_filter_by_username

DEBUG [0x144c] 24/08/2022 07:03:56 : dca_eventlog: userinfo enqueued to dca processor

DEBUG [0x1450] 24/08/2022 07:03:56 : userdb_handle_duplicate_userinfo: select query: SELECT * FROM UserInfo WHERE wrkst_ip=='10.10.0.245';

DEBUG [0x1454] 24/08/2022 07:03:56 : threadpool_threadproc: New Function added

DEBUG [0x1454] 24/08/2022 07:03:56 : list_remove_head: last element removed

DEBUG [0x1454] 24/08/2022 07:03:56 : threadpool_get_threadproc: Function 0x40a830

DEBUG [0x1454] 24/08/2022 07:03:56 : threadpool_threadproc: Executing Function 0x40a830

DEBUG [0x1454] 24/08/2022 07:03:56 : dca_log_userinfo: User: paraujo

DEBUG [0x1454] 24/08/2022 07:03:56 : dca_log_userinfo: Domain: emh.br

DEBUG [0x1454] 24/08/2022 07:03:56 : dca_log_userinfo: WrkstIP: 10.10.0.245

DEBUG [0x1454] 24/08/2022 07:03:56 : dca_log_userinfo: CreateTime: 1661335435

DEBUG [0x1454] 24/08/2022 07:03:56 : dca_log_userinfo: ExpireTime: 1661336040

DEBUG [0x1454] 24/08/2022 07:03:56 : dca_log_userinfo: LogonType: 2

DEBUG [0x1454] 24/08/2022 07:03:56 : Adding user info to db and Sophos

DEBUG [0x1454] 24/08/2022 07:03:56 : dca_filter_by_username: comparing username for exclusion: User from UTM 'paraujo' (7) : User in the list 'SophosUpdateMgr' (15)

DEBUG [0x1454] 24/08/2022 07:03:56 : dca_filter_by_username: comparing username for exclusion: User from UTM 'paraujo' (7) : User in the list 'svcsophos' (9)

DEBUG [0x1454] 24/08/2022 07:03:56 : dca_filter_by_username: comparing username for exclusion: User from UTM 'paraujo' (7) : User in the list 'treinamento' (11)

DEBUG [0x1450] 24/08/2022 07:03:56 : userdb_insert_userinfo: no matching userinfo found
DEBUG [0x1454] 24/08/2022 07:03:56 : dca_filter_by_username

DEBUG [0x1450] 24/08/2022 07:03:56 : userdb_insert_userinfo: UserInfo Successfully Inserted

DEBUG [0x1450] 24/08/2022 07:03:56 : list_add_tail: first element added

DEBUG [0x1450] 24/08/2022 07:03:56 : dca_insert_userinfo_db: userinfo enqueued in XG Update Queue

DEBUG [0x1454] 24/08/2022 07:03:56 : userdb_handle_duplicate_userinfo: select query: SELECT * FROM UserInfo WHERE wrkst_ip=='10.10.0.245';

DEBUG [0x1450] 24/08/2022 07:03:56 : dca_add_userinfo_dcaclient: DCA Client IO succeded

DEBUG [0x1450] 24/08/2022 07:03:56 : threadpool_finishnotify: Thread ID: 0x1450

ERROR [0x1434] 24/08/2022 07:03:56 : USERINFO WAITING INFINITE
DEBUG [0x1450] 24/08/2022 07:03:56 : threadpool_finishnotify: Reset Event

DEBUG [0x1434] 24/08/2022 07:03:56 : list_remove_head: last element removed

MSG [0x1434] 24/08/2022 07:03:56 : SSOclient_thread: got userinfo: USER: emh.br\paraujo <-> Flags: 5

DEBUG [0x1434] 24/08/2022 07:03:56 : SSOclient_filter_CR_subnet: Entering filter function

DEBUG [0x1434] 24/08/2022 07:03:56 : SSOclient_filter_CR_subnet: authnet not specified, send request to XG

ERROR [0x1434] 24/08/2022 07:03:56 : SSOclient_update_CR: domain name is there with length 6 , emh.br

ERROR [0x1434] 24/08/2022 07:03:56 : USERNAME paraujo Length 8

ERROR [0x1434] 24/08/2022 07:03:56 : WORKSTN IP 10.10.0.245 Length 12

ERROR [0x1434] 24/08/2022 07:03:56 : DOMAIN emh.br Length 7

DEBUG [0x1454] 24/08/2022 07:03:56 : userdb_handle_duplicate_userinfo: User 'emh.br\paraujo' found on '10.10.0.245'

DEBUG [0x1454] 24/08/2022 07:03:56 : userdb_handle_duplicate_userinfo: userinfo matched

ERROR [0x1434] 24/08/2022 07:03:56 : SSOclient : PACKET SIZE 213 ㄲ3
DEBUG [0x1454] 24/08/2022 07:03:56 : userdb_insert_userinfo: matching userinfo found
DEBUG [0x1454] 24/08/2022 07:03:56 : dca_add_userinfo_dcaclient: DCA Client IO succeded

In this scenario is the  username: paraujo  and the  client IP:    10.10.0.245  is correct ? Who is facing the auto logout issue ?   

The paraujo user who has the problem of auto disconnection

How frequently it happens and how many ADs manage the users ?
Can you check if under the STAS there isn't any duplicate entries with the same IP and username ?

It's been happening every day. It happened only to users who are running Windows 10 in the latest version. There is no duplicate user.

Hi Bruno Silva2 

Please follow the below link to troubleshoot the issue with STAS : 

https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/125318/sophos-firewall-best-practice-for-stas#mcetoc_1esth6tqs25 

Suspecting issues related to your domain controller and with the user group settings with end System.

Thanks and Regards

I'd expect to see more in there, in particular references to log off timer or events

Check if the log on and log off events
logon events : 4768 
logoff events: 4769,4634
is generated on the AD or not for that user?

I realized a test in the client of STAS in STAS POLLING UTILITIES and when I put the IP 10.10.0.245 (Ip problem user) the STAS show me Access denied and when I test with other IP show " The Operation was done sucessfull". Could be any blocked with de workstation? This problem ocurred only 3 pcs that use Windows 10 21H2.

Try updating those windows if available as this looks more of a system level issue than of actually of STAS !! 

Probably indicates the WMI checks are being denied by the client - either sort that out or change the log off detection method to Ping (as long as you don't have windows firewall blocking those).

Probably indicates the WMI checks are being denied by the client - either sort that out or change the log off detection method to Ping (as long as you don't have windows firewall blocking those).

The Active Directory server should have the following ports open:

STA Collector > XG Firewall (UDP 6060)
XG Firewall > STA Collector (UDP 6677)
STA Agent > STA Collector (TCP 5566)

You only need to enable the following ports if you use these methods:

 Workstation Polling Method (WMI) or Registry Read Access:

Starting from TCP 135
Starting from TCP 445
Logoff Detection Ping:

Outgoing: ICMP

STAS Collector Test:
Incoming/Outgoing UDP 50001

STAS Configuration Sync:
Incoming/Outgoing TCP 27015

Note: RPC, RPC locator, DCOM and WMI services should also be enabled on the clients for WMI/Registry Read Access.