Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Live users frequent forced logged out

Hi All,

 

I have a Sophos XG 135 running on SFOS 17.5 MR-9 with around 100 users. I have been experiencing this kind of issue where almost all of our live users (using the web client and clientless authenticator) were frequently forced to log out every single day. I always checked the log viewer for admin, authentication, and system. I can't find any odd logs which causing this issue of mine. Also, I asked for assistance with our local distributor for support and they provided me instructions on increasing the NTLM and Web client settings inactivity time for 1440 minutes, Global settings Maximum session timeout to unlimited. Their support also requested remote access for further checking and still, they cannot resolve it. Any ideas on what causes it? 

Other odd things I found in the logs is about I got a lot of IPSec failed logs Message ID 18052. Not sure if this is connected to my authentication issue.

 

Thanks,

Jonas



This thread was automatically locked due to age.
Parents
  • Hi  

    Would you please share the details of authentication methods which are getting used by users ( Like Captive portal , CAA , STAS , NTLM or all of these ) ?

    If you are handy with CLI of XG would you please verify the below details and share the result here?

    1) Any core dumps with access server service in a recent dates?

    Reference command with output:

    SFOS 17.5.9 MR-9# ls -lah /var/cores/

    drwxr-xr-x    2 root     0           4.0K Oct 28 17:30 .

    drwxr-xr-x   37 root     0           4.0K Nov 14 16:53 ..

    -rw-------    1 root     0          15.4M Nov 14 17:55 core.access_server

    2) Any segfault in access server service under syslog of the device ?

    Reference command with output:

    SFOS 17.5.9 MR-9# grep "segfault" /log/syslog.log

    Nov 12 07:54:22 (none) user.info kernel: [68817.056914] access_server[321]: segfault at 4b4 ip 0000000008079eaa sp 00000000ffb4d780 error 4 in access_server[8048000+10b000]
    Nov 12 09:30:47 (none) user.info kernel: [74598.455633] access_server[7664]: segfault at 4b4 ip 0000000008079eaa sp 00000000ffcb3610 error 4 in access_server[8048000+10b000]


    3) Please also confirm Authentication service is restarting during or around segfault

    Reference command with output:

    SFOS 17.5.9 MR-9# grep "Starting Sophos Firewall access_server" /log/access_server.log

    MESSAGE   Nov 12 07:54:24 [4143442432]: (main): Starting Sophos Firewall access_server
    MESSAGE   Nov 12 09:30:49 [4143442432]: (main): Starting Sophos Firewall access_server

    If point 1,2,3 getting observed then it is know issue currently with MR-9.

    If 1,2 and 3 not getting observed then further access server debug logs needs to be verify during the user log out time and need to check the further reasons.

    Steps for same:

    a) Telnet or SSH to XG LAN IP via putty

    b) Enter admin credential

    c) Select option 5 , select option 3, it will open advance shell.

    Command to start authentication service in debug mode to get the details logs:

    #service access_server:debug -ds nosync

    You may wait for an issue re creation after service in debug and once issue gets re created you may check and verify the access_server.log under /log directory.

    To stop the debug of service you may use the same command:

    # service access_server:debug -ds nosync

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • Hi Vishal_R,

    Thank you very much for replying. 

    I followed your instructions:

    1) Any core dumps with access server service in a recent dates?

    2) Any segfault in access server service under syslog of the device ?

     

    3) Please also confirm Authentication service is restarting during or around segfault

     

    Now my only concern is on how to mitigate this issue or any workaround since it is a known issue of MR-9.

    Thanks,

    gv it

Reply
  • Hi Vishal_R,

    Thank you very much for replying. 

    I followed your instructions:

    1) Any core dumps with access server service in a recent dates?

    2) Any segfault in access server service under syslog of the device ?

     

    3) Please also confirm Authentication service is restarting during or around segfault

     

    Now my only concern is on how to mitigate this issue or any workaround since it is a known issue of MR-9.

    Thanks,

    gv it

Children