Thread Info
  • State Suggested Answer
  • +5 person also asked this people also asked this
  • Locked Locked
  • Replies 37 replies
  • Answers 4 answers
  • Subscribers 39 subscribers
  • Views 120960 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSO AD User logout continuously

EmilMartini

Hi,

i have a xg firewall with AD SSO.

the users logged into the firewall are continuosly logged out after 20 minutes

2016-04-11 08:44:32
Firewall Authentication
SUCCESSFUL
dario.zzzz@xxxx.local
172.16.29.115
CTA
N/A
User dario.zzzz@xxxx.local was logged out of firewall
17703
2016-04-11 08:28:48
Firewall Authentication
SUCCESSFUL
dario.zzzz@xxxx.local
172.16.29.115
CTA
AD
User dario.zzzz@xxxx.local of group Proxy_All logged in successfully to Firewall through AD authentication mechanism from 172.16.29.115
17701


I have followed all the guides but I can not fix it

thanks

Emil



This thread was automatically locked due to age.
Parents
  • 0

    I am having the same problem.  Its even more fun because this kills my SSL VPN session after 10 minutes and then every minute afterward.  I believe the STAS software is fundamentally broken when it comes to WMI queries for logoff information.  I followed this: https://community.sophos.com/kb/en-us/123020 

    Every 10 minutes it tries to connect to the computers via WMI to verify and it fails and then terminates the user sessions.  However if I simultaneously run the WMI query in the article, it shows me the correct the username logged into the computer.  Interestingly enough it tries to connect to non-Windows computers who have no users in the "Live Users" table, and those obviously fail too. 

    What would be the implication of just disabling all automatic logoff/session idle timers?  I would think that in theory, user A logs in and then logs off, the XG doesn't know about the logoff and still shows them as on, but if user B then comes and logs in to the same machine sometime later, wouldn't the STAS event update the Sophos box and say "User B is now logged in at IP blah blah?"  As far as I know, I believe this is how Meraki does it. 

    All in all this is extremely frustrating. 

  • 0 in reply to Bill Roland

    I have exectly the same problem - If I switch on Logoff detection, some users are randomly disconnectet. I have coped with this problem from the ancient times - CTAS + UTM.

    We tried several configurations (one STAT, two STAS, different agents etc.) - simply- it will be much better if this simply works.

    BTW: CAN we disable WMI pooling completely?

    Even if we have "logoff detection" switched off, WMI/remote registry polling runs permanently.

  • 0 in reply to Jiri Hadamek

    Hi, all

    I have the same issue where i see the user is connecting in the morning i see the authentication log on the AD Events, STAS and the Live Users. After a period of time the user is disconnected from the live users, if the user try to navigate he gets a block for no authentacation users around 2-3mins the user can navigate but not with the user name i autorize like irvinr i see in the live user the name of a computer "host".

    I really don't know what is going on but this behaviur happen a lot. For the user dont call me a lot i put another rule for users allowing the opengroup for navigate.

    It happen all day long.

    Any issue similar or user with this behaviur?

    Why Sophos dont put the same prefetch for collect all the users information from DC like UTM v9.4?

    Best regard.

Reply
  • 0 in reply to Jiri Hadamek

    Hi, all

    I have the same issue where i see the user is connecting in the morning i see the authentication log on the AD Events, STAS and the Live Users. After a period of time the user is disconnected from the live users, if the user try to navigate he gets a block for no authentacation users around 2-3mins the user can navigate but not with the user name i autorize like irvinr i see in the live user the name of a computer "host".

    I really don't know what is going on but this behaviur happen a lot. For the user dont call me a lot i put another rule for users allowing the opengroup for navigate.

    It happen all day long.

    Any issue similar or user with this behaviur?

    Why Sophos dont put the same prefetch for collect all the users information from DC like UTM v9.4?

    Best regard.

Children
  • 0 in reply to Irvin ReynaldoRosario Vidal

    Hi Irvin,

    I don't know if it's true, but I think it's a connection  with this Authentication behavior STAS / CTA

    I have another situation with Windows 2008 R2 Domain Controller, and works well.

    It seems to occur in environments where STAS are installed with Windows 2012 DC , but I need to test again.

    If I restart STAS live users come back!

    Gabriele

  • 0 in reply to GabrieleD

    Hi,

    I try everything to resolve this issue but keep happening. See the image.

    Any one see this issue?

    The STAS is getting the computer name and not the user name from domain controller. Is i search the user in the STAS Live User i see the user in the computer connected.

    Any one know how to stop the automatically logout from the firewall cuz inactivity time. I dont have it active on STAS or Authentication > Services > NTLM.

    Best regard.

    thanks

     

  • 0 in reply to Irvin ReynaldoRosario Vidal

    Hi all, this is exectly our situation - We use only STAS  on DC servers (3) an now have one collector, that send users info to one XG firewall. When we switch on "logoff detection" in any possible way (Remote registry/WMI, dead hour in every combinations) then we see some users are logged out and then for 2-3 minutes put into "learning mode". This is unappropriate term for "to be cut off from LAN".

    The same result was for CTAS (STAS version for UTM) and also for more than one STAS collector.

    Now I am in resignated state and don´t believe that somebody in Sophos can solve it.

  • 0 in reply to Jiri Hadamek

    How about here, do you have Enable User Inactivity enabled or disabled?

  • 0 in reply to Bill Roland

    Hi,  

    I have the STAS Inactivity Off.

     

    See this example. Where the user: nguerrero is getting a logout from the firewall. I install a application for monitor the AD Event Logs "ADAudit Plus" from ManageEngine for see the information in real time when the user connect when, where, how and from and i see the user connects and not see any logout from the session in the computer but i see this disconnection a lot. I understand cuz is about the NTLM Inactivity time the user is getting this i put the time in 480mins and it keep doing it.

    Not only that i see the computer name in live users and users in my utm. How this happen i don't know. If i go to the STAS Live Users i don't see the computer XXXX@XXXX.local authenticated, what i see is the user name logged and in the firewall is where is see the computer name logged.

    brot!

    In the forum, KB or with your knowledge. Do you know how to make this work fine? I follow all the KB information about how to get this done and i still get the issue.

    If any one ont have the issue can write me or post in here a solution.

    Best regard.

     

     

  • 0 in reply to Irvin ReynaldoRosario Vidal

    Try adding your servers (including AD servers, Exchange servers if you have them) to the IP login and logoff exclusion list in the STAS client and see if that changes anything. 

  • 0 in reply to Bill Roland

    Hi,  

    I will make a try but i don't see how this is going to work. Cuz on the STAS Client i don't see the computer information on the Logs.

    I only see this information in the Firewall. There is where i see the computer name authenticate but don't know from where.

    Thanks.

    I will give you a feedback in 1-2 days.