VPN timeout/key negotion after 8 hours

Hey Jacob Jensen1 

I'll attach a screenshot below, but have you tried changing the key lifetime configured in your SSL VPN settings?

Best,

Hi FloSupport,

I have not tried that. could i double that without it causing other issues? 57600? an even higher number?

Regards

Jacob

Any updates on this?  We are also having users disconnected after the 8 hour mark.  This is causing a lot of confusion and frustration for our remote users (which in today's world is most users).

Hi Jonnie 

With the key lifetime value 10 hours users should not get disconnected after 8 hours, key life time value defines that the keys will expire after configured time and disconnects the user to reset the keys. There are no other settings on the firewall that would cause this disconnects after 8 hours, I think it is possible that user got disconnected for some other reason. 

Could you please provide client logs around the time that user got disconnected? 

Thanks,

Hey H_Patel, 

Thanks for your reply. I've have installed the OpenVPN GUI, because I can't run Sophos SSL VPN Client as a service or? Without the use of a windows service, the log will be lost with the next restart of the Sophos VPN client. 

I will monitor this behaviour and post the log maybe next week after the public holidays.

Worth adding that we've just added 100 users to our Sophos XG using SSL VPN. Users getting disconnected after 8 hours. Changed the key lifetime in VPN settings to give 12 hours. Clients were disconnected and had to reconnect but the sessions now last 12 hours. SSL Client or config, as others say, doesn't need to be downloaded again.

Hey, 

Today I could verify the issue by myself. I've started the VPN at 9:10 am and get "disconnected" at 17:10 pm, exact 8 hours later. 

The curious thing is, that my active RDP Connection has been disconnected but my vpn is still active? 

Checked internet access --> ok , checked my public ip --> From the xg and not from my homeoffice, checked ICMP to recently connected server --> FAIL

I remembered that I have a similar issue months ago, where our ssl vpn users has been kicked off after exactly 15 mins. 

The VPN client still says connected, but no connection to our internal servers. I've discussed this issue several times with the support hotline, but they don't understand the problem, even with a Support Session in the same moment where the disconnect happens. I was angry as hell! 

So I checked all possible "time" fields at the XG and noticed that I have set the "Maximum Session Timeout" at the Global Settings under Services to 15min. My thought was, that this settings only apply to the user portal and not to the ssl vpn itself. But after I set this to 8 hours, the issue was resolved. 

Am I right assuming that the "Maximum Session Timout" could affect the ssl vpn with the otp token? 

Because I already set the Key Lifetime to 10 hours and downloaded the ssl config once again. This is the only settings which make sense to me, after my story as described above. 

I will try it tomorrow once again but I would appreciate a confirmation from the forum support. :) 

If the Client is already installed with a proper Certificate, it will receive the new Configuration in the process of building the new VPN tunnel. So you do not need to download the configuration again. 

Hey LuCar Toni 

Yes, I noticed this. But as I described, I already changed the keytime from the ssl vpn to 10 hours but get kicked out again after 8 hours. Therefore I thought it has something to do with the global session timeout, according with my experience a few months ago.  

Ok, my guess with the global session timeout was correct. The VPN is still connected after 8 hours and I can reach all internal systems. 

I assume that the setting only applies if you use the OTP Token for authentication and not just the normal username + password combination. 

Maybe this info will help other customers and also the clueless sophos support. [:#]

Hey Jonnie,

this seems legit.

Anybody knows where I can set the setting on an Sophos SG?

Best regards

I have the exact same issue, after 8 hours all VPN clients dropped connection.

May anyone let me know the "Maximum session timeout" mean, coz by default the setting is tick to Unlimited, so why after 8 hours it stop SSL VPN with OTP authentication?

Btw, may I know the best value for "Maximum session timeout" if I want VPN connection still keeping after 12hrs or even more?

I have the exact same issue, after 8 hours all VPN clients dropped connection.

May anyone let me know the "Maximum session timeout" mean, coz by default the setting is tick to Unlimited, so why after 8 hours it stop SSL VPN with OTP authentication?

Btw, may I know the best value for "Maximum session timeout" if I want VPN connection still keeping after 12hrs or even more?

Hung Ho said:

I have the exact same issue, after 8 hours all VPN clients dropped connection.

May anyone let me know the "Maximum session timeout" mean, coz by default the setting is tick to Unlimited, so why after 8 hours it stop SSL VPN with OTP authentication?

Btw, may I know the best value for "Maximum session timeout" if I want VPN connection still keeping after 12hrs or even more?

 

Hi Jonnie,

Hey, 

I've set both settings to 12 hours, which is working without any further issues. 

Do you use the mfa or otp token for the ssl vpn? 

Hi,

Yes, I used the OTP for SSL VPN. Ok, I will try to set both like you, let see what happen then.

May I know your value of this section "Simultaneous logins" ?

I allowed 3 simultaneous logins. 

From my understanding the OTP feature is the "problem". 

If you use the vpn without the OTP Token, the vpn automatically renew it's key after the specified key lifetime. All fine. 

If you use the vpn with the OTP Token, the vpn and and the otp token are handled separately. 

The vpn is doing it's vpn things, no matter if the key lifetime is 8 or 12 hours. But the OTP Token is handled as an user session, which is limited to the global maximum session limit. 

If you reach the the session limit, the vpn seems like it is still active but you can't connect to any systems behind your vpn / xg. Because the user session in the background has ended.  

At least that is my practical experience.

But there are two main questions: 

- Why does the "unlimited" Checkbox not work?

- What If you set the key lifetime to 8 hours and the global session limit to 12 hours? 

Didn't test this cases. 

Lets wrap this up.

I would like to ask you guys to test the Sophos Connect Client 2.0 for this.

https://community.sophos.com/products/xg-firewall/sfos-eap/sophos-connect-eap/b/announcements/posts/sophos-connect-2-0-early-access

A rekey in the current state (SSL & IPsec) is a new Session for the authentication session. Therefore it needs another OTP Token.

In IPsec, it is 4 Hours until rekey. In SSLVPN it seems to be 8 hours (Needs to be tested). 

Session limited within the User in XG means, the Access_server allows a maximum of X Sessions concurrent. So Login via SSLVPN, Login via User Portal, Login via IPsec = 3 Sessions at the same time. 

Provide your findings on SSLVPN in SC2.0 in the new EAP Forum. 

I have tested 3 cases as below. 

Scenario 1:

Session timeout: 15

Key lifetime: 10

SSL VPN user disconnected after exactly 10 mins.

Scenario 2:

Session timeout: 5

Key lifetime: 10

SSL VPN user disconnected after exactly 10 mins.

Scenario 3:

Session timeout: Unlimit

Key lifetime: 15

SSL VPN user disconnected after exactly 15 mins.

I think it not related to the session timeout. It depends on the key lifetime. Something went wrong between key lifetime with OTP. 

I Hope Sophos Technical looks into this issue asap.

Thank you.

Session timeout is kinda a tricky part of VPN in gerneral. What it means it, if the Client is idle, it starts counting and disconnect after some time, idle. But to estimate, a client is idle, you need to figure out what a IDLE Client means. 

A Key Lifetime is a fix value: From session establishment to 15 mins. Afterwards rekey the connection. 

In real world, i never recommend using session timeout for ipsec or sslvpn. The quality of life feature for this is not the best. I better work with the Work hour feature of the firewall rules or the user time. 

That is my feedback about this part. 

Hey Lucar,

I have the same issue. How can I set the generell session timeout on Sophos SG 430?

Best regards

SG or XG? 

Key Negation or User Session timeout?