Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
teereepee
Explorer

No Log Out Event for Remote Access user Session (r80.20)

I appears that many folks are appear to be having issues with usable reporting for understanding current number of active remote access users. From tomorrow my organisation will work remotely and I have to manually pull and record data for dash board reporting. I know that you can use SmartConsole >>> New Tab >>> Tunnel & User Monitoring to view real-time or historical reporting but the Active RA Tunnels Sessions information appear to incorrect (we have logged a ticket).  So we use "fw tab -t userc_users -s" at various intervals to get a more accurate number of active users.

For Auditing purposes , my organisation would like to know user activity such as when and how long a user was connected. As we don't have all log events going to the SIEM, on a daily basis in the Web SmaryView, I use the the following filter in Logs to get the previous days sessions, blade:"Mobile Access" AND action:("Log In" OR "Log Out" OR "Failed Log In") , I export this to excel import in the MS Access, Join the Log In and Log Out events by Session ID, the report is almost done.

Problem is that I have noticed that some Log In events do not have a matching Log Out event. In most cases there is a Session timeout or User has signed off Log Out event. The Log In (Row 2) event in the list  below has no Log Out event. I assume that the session was interrupted. As there is a new Log In (row 3) 5 hours later so the assumption is there must be a log out or is it a reestablishment of the previous session with a laptop going to sleep, but then the duration does not match. nor do the session ID

UserActionTimeStatusActionTimeDurationReason for FailureSession ID
Dummy UserLog In22/03/2020 20:48:55SuccessLog Out23/03/2020 04:48:5228800Session timeout5E773487-0000-0000-A884-0221FD4E0000
Dummy UserLog In23/03/2020 05:53:25Success    5E77B425-0000-0000-A884-0221FD4E0000
Dummy UserLog In23/03/2020 10:51:14SuccessLog Out23/03/2020 11:15:431500User has signed off5E77F9F2-0000-0000-A884-0221FD4E0000
Dummy UserLog In23/03/2020 11:18:34SuccessLog Out23/03/2020 19:18:2928800

Session timeout

5E78005A-0000-0000-A884-0221FD4E0000

       

 

 

 

Please could anyone confirm if the missing log out event is normal behaviour? Is anyone else having an issue regarding the incorrect Active RA Tunnels vs "fw tab -t userc_users -s"

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

Log Out events are only generated when the server receives notification from the client they are disconnecting.
That can happen for a lot of reasons and is normal.
For the same reason, it will impact the accuracy of things like counting the number of entries in userc_rules, which contains information on VPN clients that have been connected in the last 15 minutes.
However, the userc_rules table is likely the most accurate measure.

There is a setting (Global Properties, I think) that limits users to a single VPN session at a time.
This is likely a good idea for security reasons and I suspect this will also generate a Log Off event for sessions that are still active by that user (e.g. due to temporary disconnection).
0 Kudos
teereepee
Explorer

Thank you very much for the reply and I assume that to be the case, I found last night it appears that log in sessions are also mssing1. I logged in at 06:53 AM (No event), refreshed log in 14:50 (event present) and refreshed log in at 22:47 (event present). This really makes it difficult to get an accurate picture. We will have a look global setting.