Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 38 subscribers
  • Views 8529 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"Max login limit reached" error

MichalKawecki

Hi,

For some time we have been struggling with the problem of the appearance of a large number of active sessions on individual user accounts. Our users work remotely by connecting via Sophos Connect to their desktop computer in the company, and from there via a remote desktop to the terminal server. As a result, XG Firewall detects several simultaneous active sessions on the same login: 1x IPSec VPN, 1x STAS (desktop) and 1x Thin Client. I would like to add that SATC has been installed and correctly configured on that server.

Unfortunately, sessions detected as Thin Client from time to time do not automatically expire, they only accumulate. After some time, in the Current Activity tab, one login shows 5 or more Thin Client sessions with start dates up to a few weeks back. Finally, the limit of 7 simultaneous sessions set by us was exhausted and further user logins were rejected by the router with the message "auth_client =" CTA "auth_mechanism =" AD "reason =" max login limit reached ". 

In order to solve this problem, in the Authentication tab I turned on the "Maximum session timeout" option and set it to 1440 minutes. From then on, after 24 hours, the old Thin Client sessions started to be properly deleted and the problem of exceeding the session limit disappeared.

Unfortunately, another problem emerged in its place. Well, after 24 hours, IPSec sessions initiated by Sophos Connect also began to expire. The effect was that the router stopped associating the user's login with his IP address assigned by vpn and after exactly 24 hours it began to block all data flow on those firewall rules that were based on logins and AD groups. In such a situation, the only solution for the user was restarting his VPN connection - however, this causes various problems and we would generally prefer to avoid it. For example, restarting  VPN connection means that all ongoing ssh connections with remote Linux servers must be broken.

In short, I wanted to determine if it is possible to exclude sessions assigned to the Sophos Connect client from the "Maximum session timeout" option? Alternatively, is it possible to somehow "refresh" them on the router to break expiration time?

In my opinion, such a function should be implemented in the Sophos Connect client. Until the end of an ongoing VPN connection, I would expect that the user should never have been logged out of the router.

BTW, our router currently runs on XG Firewall version 17.5.13 MR13.

Regards,
Michal



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi  

    Thank you for reaching out to the Community!

    Is there any timeout set on the STAC application on the server? 

    Thanks,

  • 0 in reply to FormerMember

    Hi,

    There is a SATC application running on terminal server with only one option: Log Out Polling Time = 180 s.
    A STAS application is running on the domain controller (on two hosts: PDC and BDC). Its settings are shown in the screenshot below.

  • 0 in reply to FormerMember

    Whatever bright spark who  came up with a single "Maximum session timeout" global setting that applies to any authentication mechanism should be assigned to something different, preferably not in firewall design.

    This isn't a one size fits all situation, it should be possible to set a timeout for each authentication mechanism as the requirement for each differ. We ran into a similar problem with Live Users (set by Heartbeat), 'vanishing' after 30 minutes. It was caused bu setting 'Maximum session timeout' because we wanted it to be 30 minutes for a different authentication. Ended up having to choose which was more important when we should have been able to have two different settings.

  • FormerMember
    0 FormerMember in reply to MichalKawecki

    Hi  

    Thank you for providing the screenshot. 

    Could you please confirm if there are any WMI failed events in the STAS logs? You could try to shut down one machine for testing and then after a few minutes check the STAS logs.

    Check out to the following KBA for more info on STAS logs: Sophos Firewall: How to view STAS logs.

    Thanks,

  • 0 in reply to FormerMember

    Hi,

    Terminal Server users connect to it remotely using 10.0.102.x address. Typical communication with the DC server looks like in the screenshot below:

    I understand that we are focusing on determining the reason why the router is not removing disconnected TS sessions from active connections list?

Unfiltered HTML