VPN timeout/key negotion after 8 hours

Hey Jacob Jensen1 

I'll attach a screenshot below, but have you tried changing the key lifetime configured in your SSL VPN settings?

Best,

Hi FloSupport,

I have not tried that. could i double that without it causing other issues? 57600? an even higher number?

Regards

Jacob

Could you please verify if you experience the same issue when you decrease the Key Lifetime to 60 seconds?

Also what method of 2 factor authentication are you using?

Thanks,

Hello, i have more or less the same problem. Key lifetime is 8 hours and with 2factor auth the connection goes down after 8 hours.

I would not like to change much in that session cause i am not sure about the effect ? The setting of key lifetime is firewall side only or

do i have to send the users a new certificate after that change ?  Or can i change it also to 9 hours without any outage of the users 

connection ? 

BR

Marco

Hi marco_47d 

See what I mentioned above regarding the risks of increasing the key lifetime. Generally, changing the settings on that SSL VPN configuration window will require users to re-download their SSL VPN configuration from the user portal.

Regards,

Thank you very much. I will tell the  user to reconnect after lunchbreak. Its not a good idea to tell the user to download a new certificate 

there will be to much problems in that process. I am happy to have 150 user working with vpn and not want to run in problems. 

BR

Marco

I've verified that the Key lifetime value is a timeout option pushed to the client during client/server negotiations. Clients will not need to re-download their VPN profile if the Key lifetime value is change. However, applying this change does disconnect connected VPN clients and may require them to authenticate if OTP is enabled.

Hey, 

Sorry that I dig out this old question, but I've the same problem with our users.

I changed key lifetime to 10 hours and also downloaded the ssl config once again, even Jacob reported that it's not necessary. 

But my users still get disconnected after 8 hours. 

Any further Ideas? FloSupport We're actual on 17 MR10

Regards, 

Jonny

Any updates on this?  We are also having users disconnected after the 8 hour mark.  This is causing a lot of confusion and frustration for our remote users (which in today's world is most users).

Hi Jonnie 

With the key lifetime value 10 hours users should not get disconnected after 8 hours, key life time value defines that the keys will expire after configured time and disconnects the user to reset the keys. There are no other settings on the firewall that would cause this disconnects after 8 hours, I think it is possible that user got disconnected for some other reason. 

Could you please provide client logs around the time that user got disconnected? 

Thanks,

Hey H_Patel, 

Thanks for your reply. I've have installed the OpenVPN GUI, because I can't run Sophos SSL VPN Client as a service or? Without the use of a windows service, the log will be lost with the next restart of the Sophos VPN client. 

I will monitor this behaviour and post the log maybe next week after the public holidays.

Worth adding that we've just added 100 users to our Sophos XG using SSL VPN. Users getting disconnected after 8 hours. Changed the key lifetime in VPN settings to give 12 hours. Clients were disconnected and had to reconnect but the sessions now last 12 hours. SSL Client or config, as others say, doesn't need to be downloaded again.

Worth adding that we've just added 100 users to our Sophos XG using SSL VPN. Users getting disconnected after 8 hours. Changed the key lifetime in VPN settings to give 12 hours. Clients were disconnected and had to reconnect but the sessions now last 12 hours. SSL Client or config, as others say, doesn't need to be downloaded again.

Hey, 

Today I could verify the issue by myself. I've started the VPN at 9:10 am and get "disconnected" at 17:10 pm, exact 8 hours later. 

The curious thing is, that my active RDP Connection has been disconnected but my vpn is still active? 

Checked internet access --> ok , checked my public ip --> From the xg and not from my homeoffice, checked ICMP to recently connected server --> FAIL

I remembered that I have a similar issue months ago, where our ssl vpn users has been kicked off after exactly 15 mins. 

The VPN client still says connected, but no connection to our internal servers. I've discussed this issue several times with the support hotline, but they don't understand the problem, even with a Support Session in the same moment where the disconnect happens. I was angry as hell! 

So I checked all possible "time" fields at the XG and noticed that I have set the "Maximum Session Timeout" at the Global Settings under Services to 15min. My thought was, that this settings only apply to the user portal and not to the ssl vpn itself. But after I set this to 8 hours, the issue was resolved. 

Am I right assuming that the "Maximum Session Timout" could affect the ssl vpn with the otp token? 

Because I already set the Key Lifetime to 10 hours and downloaded the ssl config once again. This is the only settings which make sense to me, after my story as described above. 

I will try it tomorrow once again but I would appreciate a confirmation from the forum support. :) 

If the Client is already installed with a proper Certificate, it will receive the new Configuration in the process of building the new VPN tunnel. So you do not need to download the configuration again. 

Hey LuCar Toni 

Yes, I noticed this. But as I described, I already changed the keytime from the ssl vpn to 10 hours but get kicked out again after 8 hours. Therefore I thought it has something to do with the global session timeout, according with my experience a few months ago.  

Ok, my guess with the global session timeout was correct. The VPN is still connected after 8 hours and I can reach all internal systems. 

I assume that the setting only applies if you use the OTP Token for authentication and not just the normal username + password combination. 

Maybe this info will help other customers and also the clueless sophos support. [:#]

Hey Jonnie,

this seems legit.

Anybody knows where I can set the setting on an Sophos SG?

Best regards

I have the exact same issue, after 8 hours all VPN clients dropped connection.

May anyone let me know the "Maximum session timeout" mean, coz by default the setting is tick to Unlimited, so why after 8 hours it stop SSL VPN with OTP authentication?

Btw, may I know the best value for "Maximum session timeout" if I want VPN connection still keeping after 12hrs or even more?

Hung Ho said:

I have the exact same issue, after 8 hours all VPN clients dropped connection.

May anyone let me know the "Maximum session timeout" mean, coz by default the setting is tick to Unlimited, so why after 8 hours it stop SSL VPN with OTP authentication?

Btw, may I know the best value for "Maximum session timeout" if I want VPN connection still keeping after 12hrs or even more?

 

Hi Jonnie,

Hey, 

I've set both settings to 12 hours, which is working without any further issues. 

Do you use the mfa or otp token for the ssl vpn? 

Hi,

Yes, I used the OTP for SSL VPN. Ok, I will try to set both like you, let see what happen then.

May I know your value of this section "Simultaneous logins" ?