Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +7 person also asked this people also asked this
  • Locked Locked
  • Replies 41 replies
  • Answers 3 answers
  • Subscribers 37 subscribers
  • Views 121409 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

User login through SSO client constant login and off in 16.05.1 MR-1

daiqingxu

I use the Sophos Single Sign-On Client (SSO) the first one in Client downloads page.

The thing happens at morning as i notice my internet connection in my desktop lost constantly, then i check the xg find there is high cpu usage with little traffic. Using top i find a "worker" process constantly running 100% (suppose it's single threaded), and "access_server" "login_user" "logout_user" apear time to time with high cpu usage. This brings me the the authentication log where i find the logs below, which is apearantly unnormal.

2017-02-13 14:33:59
Firewall Authentication
SUCCESSFUL
user@domain.local
10.18.100.146
SSO
N/A
User user@domain.local was logged out of firewall
17703
Open PCAP
2017-02-13 14:33:59
Firewall Authentication
SUCCESSFUL
user@domain.local
10.18.100.146
SSO
AD
User user@domain.local of group sys-admin logged in successfully to Firewall through AD authentication mechanism from 10.18.100.146
17701
Open PCAP
2017-02-13 14:34:00
Firewall Authentication
SUCCESSFUL
user@domain.local
10.18.100.146
SSO
N/A
User user@domain.local was logged out of firewall
17703
Open PCAP
2017-02-13 14:34:00
Firewall Authentication
SUCCESSFUL
user@domain.local
10.18.100.146
SSO
AD
User user@domain.local of group sys-admin logged in successfully to Firewall through AD authentication mechanism from 10.18.100.146
17701
Open PCAP

 

I manually stop all of the SSO Client and CPU instantly went back to normal (mostly idle).

So far i have tried reboot every thing around it and itself. I also have tried to restore a know good config backup a month ago. Rollback to the 16.01.3 MR-2. All of them didn't solve the problem.

=====edited======

unrelated

Find some thing strange, /log/syslog.log shows /bin/login is constantly restarted in a one sec interval

Feb 14 03:08:02 (none) daemon.info init: process '/bin/login' (pid 9706) exited. Scheduling for restart.
Feb 14 03:08:02 (none) daemon.info init: starting pid 9707, tty '/dev/ttyS0': '/bin/login'
Feb 14 03:08:03 (none) daemon.info init: process '/bin/login' (pid 9707) exited. Scheduling for restart.
Feb 14 03:08:03 (none) daemon.info init: starting pid 9708, tty '/dev/ttyS0': '/bin/login'



This thread was automatically locked due to age.
  • 0 in reply to sachingurung

    spined up a complete new virtual appliance and only setup active directory integrate, the try SSO Client against it. Same problem happened.

    This time access_server.log filled with

    ERROR     Feb 16 15:25:26 [4144236352]: config_resolve_bwid: BW Policy 0 not found

  • 0 in reply to daiqingxu

    Same problem on XG310 users a constantly trying to login. 

    On the Firewalls in access_server.log I have also this:

    ERROR Feb 16 16:51:14 [4128242496]: config_resolve_bwid: BW Policy 0 not found
    ERROR Feb 16 16:51:15 [4144248640]: handle_internal_logout_req: SQLITE_REQ_GETLIVEUSER query failed
    ERROR Feb 16 16:51:15 [4144248640]: do_authorization_phase2: Can't Logout User from IP: '192.168.0.13'

     

    On workstations in SSO log I have this:

    02/16/17 16:53:37 Sending request size = 230
    02/16/17 16:53:38 No Response From Server
    02/16/17 16:53:38 Send Failed, will try again in 30 sec


  • 0 in reply to Biser Todorov
    Same issue here, with same log (XG 230)
     
    This problem has already occurred in the two previous firmware versions
     
     
  • 0

    Exact same issue here on an XG310. Initially occurred on 16.01, updated to 16.05, issue remained. Rolled back to 16.01 and restored a known working backup config, issue remained. Updated again to 16.05 because why not, it's broken anyway.

    I've had a ticket open since last Friday and they've only updated it once from the Philippines to ask what timezone I'm in. I've captured packets from the client, the firewall, and both domain controllers and all I can tell is the client receives something back but must not fully recognize it as a successful authorization. It does provide a momentary connection but since it keeps logging out/in connectivity comes and goes and that absolutely just won't fly.

    The Windows SSO client has been working perfectly fine for about 6 months, then out of the blue all the clients started this behaviour. I've disabled SSO for now since the "logout/login/logout/login/logout/login" loop was causing havoc.  We have all client and DC firewalls disabled.  Basically, nothing has changed as far as I can tell but just bam, all clients SSO stopped working at the same time with the same results as in this thread.

    Can we get some eyes on this or at least a followup response? We've spent the better part of a week trying to figure out if it was a client/DC or firewall issue.

  • 0 in reply to Jeremy Brousseau

    Hi Jeremy, 

    Could you DM us the Case # you have received along with the link to this tread . We will look into it and update you further.

  • 0 in reply to Aditya Patel

    Hi Aditya

    We have exactly the same issue with this update on a XG-125. 

     

    Aditya Patel said:

    Hi Jeremy, 

    Could you DM us the Case # you have received along with the link to this tread . We will look into it and update you further.

     

  • 0 in reply to Aditya Patel

    Sent.  Looking forward to getting this sorted out.

  • 0 in reply to Jeremy Brousseau

    Dear Jeremy,

    Could you please update this thread if you find anything? I can imagine that more people are affected by this issue.

    We are currently testing two new XG135 and a new XG230 and we had the login/logout loop from the very beginning of our AD tests.

    Thank you!

  • 0 in reply to Alguth Gogekl

    Will do.  Nothing yet, they've transferred me back to a NA zone so someone should be on shift while I'm at work.  Honestly I'm disappointed it's taken 6 days to just get that far.

  • 0 in reply to daiqingxu

    Hi,

    I checked the access_server.log file you DMed me, it states that the Access Server is getting restarted which may be the reason for disconnections. 

    MESSAGE Feb 14 10:39:06 [4144490304]: access_server: Access Server Shuting down
    MESSAGE Feb 14 10:39:06 [4144490304]: (CA_exit): ClientAuth successfully finished
    ERROR Feb 14 10:39:06 [4144490304]: pg_db_release_client: Database disconneted
    ERROR Feb 14 10:39:06 [4144490304]: pg_db_release_client: Database disconneted
    MESSAGE Feb 14 10:39:06 [4144490304]: access_server: Access Server Stopped

    Please DM me postgres and syslog from the above date and time.

    Thanks