Create a Post
Showing results for 
Search instead for 
Did you mean: 

No Log Out Event for Remote Access user Session (r80.20)

I appears that many folks are appear to be having issues with usable reporting for understanding current number of active remote access users. From tomorrow my organisation will work remotely and I have to manually pull and record data for dash board reporting. I know that you can use SmartConsole >>> New Tab >>> Tunnel & User Monitoring to view real-time or historical reporting but the Active RA Tunnels Sessions information appear to incorrect (we have logged a ticket).  So we use "fw tab -t userc_users -s" at various intervals to get a more accurate number of active users.

For Auditing purposes , my organisation would like to know user activity such as when and how long a user was connected. As we don't have all log events going to the SIEM, on a daily basis in the Web SmaryView, I use the the following filter in Logs to get the previous days sessions, blade:"Mobile Access" AND action:("Log In" OR "Log Out" OR "Failed Log In") , I export this to excel import in the MS Access, Join the Log In and Log Out events by Session ID, the report is almost done.

Problem is that I have noticed that some Log In events do not have a matching Log Out event. In most cases there is a Session timeout or User has signed off Log Out event. The Log In (Row 2) event in the list  below has no Log Out event. I assume that the session was interrupted. As there is a new Log In (row 3) 5 hours later so the assumption is there must be a log out or is it a reestablishment of the previous session with a laptop going to sleep, but then the duration does not match. nor do the session ID

UserActionTimeStatusActionTimeDurationReason for FailureSession ID
Dummy UserLog In22/03/2020 20:48:55SuccessLog Out23/03/2020 04:48:5228800Session timeout5E773487-0000-0000-A884-0221FD4E0000
Dummy UserLog In23/03/2020 05:53:25Success    5E77B425-0000-0000-A884-0221FD4E0000
Dummy UserLog In23/03/2020 10:51:14SuccessLog Out23/03/2020 11:15:431500User has signed off5E77F9F2-0000-0000-A884-0221FD4E0000
Dummy UserLog In23/03/2020 11:18:34SuccessLog Out23/03/2020 19:18:2928800

Session timeout






Please could anyone confirm if the missing log out event is normal behaviour? Is anyone else having an issue regarding the incorrect Active RA Tunnels vs "fw tab -t userc_users -s"

0 Kudos
2 Replies

Log Out events are only generated when the server receives notification from the client they are disconnecting.
That can happen for a lot of reasons and is normal.
For the same reason, it will impact the accuracy of things like counting the number of entries in userc_rules, which contains information on VPN clients that have been connected in the last 15 minutes.
However, the userc_rules table is likely the most accurate measure.

There is a setting (Global Properties, I think) that limits users to a single VPN session at a time.
This is likely a good idea for security reasons and I suspect this will also generate a Log Off event for sessions that are still active by that user (e.g. due to temporary disconnection).
0 Kudos

Thank you very much for the reply and I assume that to be the case, I found last night it appears that log in sessions are also mssing1. I logged in at 06:53 AM (No event), refreshed log in 14:50 (event present) and refreshed log in at 22:47 (event present). This really makes it difficult to get an accurate picture. We will have a look global setting.