Live users frequent forced logged out

Question

Hi All, 
 
 I have a Sophos XG 135 running on SFOS 17.5 MR-9 with around 100 users. I have been experiencing this kind of issue where almost all of our live users (using the web client and clientless authenticator) were frequently forced to log out every single day. I always checked the log viewer for admin, authentication, and system. I can't find any odd logs which causing this issue of mine. Also, I asked for assistance with our local distributor for support and they provided me instructions on increasing the NTLM and Web client settings inactivity time for 1440 minutes, Global settings Maximum session timeout to unlimited. Their support also requested remote access for further checking and still, they cannot resolve it. Any ideas on what causes it? 
 Other odd things I found in the logs is about I got a lot of IPSec failed logs Message ID 18052. Not sure if this is connected to my authentication issue. 
 
 Thanks, 
 Jonas

Vishal_R · Accepted Answer

Hi gv it 
 Pleas log a support case with above reference output and asked them to apply the patch for NC-51881. 
 Patch will required restart of authentication service once for changes into effect. 
 NC-51881 fixed taken in MR-10 version and as of now release date for MR-10 not yet confirmed.

Vishal_R · Answer

Hi gv it Would you please share the details of authentication methods which are getting used by users ( Like Captive portal , CAA , STAS , NTLM or all of these ) ? If you are handy with CLI of XG would you please verify the below details and share the result here? 1) Any core dumps with access server service in a recent dates? Reference command with output: SFOS 17.5.9 MR-9# ls -lah /var/cores/ 
 drwxr-xr-x 2 root 0 4.0K Oct 28 17:30 . 
 drwxr-xr-x 37 root 0 4.0K Nov 14 16:53 .. 
 -rw------- 1 root 0 15.4M Nov 14 17:55 core.access_server 2) Any segfault in access server service under syslog of the device ? Reference command with output: SFOS 17.5.9 MR-9# grep "segfault" /log/syslog.log 
 Nov 12 07:54:22 (none) user.info kernel: [68817.056914] access_server[321]: segfault at 4b4 ip 0000000008079eaa sp 00000000ffb4d780 error 4 in access_server[8048000+10b000] Nov 12 09:30:47 (none) user.info kernel: [74598.455633] access_server[7664]: segfault at 4b4 ip 0000000008079eaa sp 00000000ffcb3610 error 4 in access_server[8048000+10b000] 
 3) Please also confirm Authentication service is restarting during or around segfault Reference command with output: SFOS 17.5.9 MR-9# grep "Starting Sophos Firewall access_server" /log/access_server.log MESSAGE Nov 12 07:54:24 [4143442432]: (main): Starting Sophos Firewall access_server MESSAGE Nov 12 09:30:49 [4143442432]: (main): Starting Sophos Firewall access_server If point 1,2,3 getting observed then it is know issue currently with MR-9. If 1,2 and 3 not getting observed then further access server debug logs needs to be verify during the user log out time and need to check the further reasons. Steps for same: a) Telnet or SSH to XG LAN IP via putty 
 b) Enter admin credential 
 c) Select option 5 , select option 3, it will open advance shell. 
 Command to start authentication service in debug mode to get the details logs: #service access_server:debug -ds nosync 
 You may wait for an issue re creation after service in debug and once issue gets re created you may check and verify the access_server.log under /log directory. To stop the debug of service you may use the same command: 
 # service access_server:debug -ds nosync