Thread Info
  • State Verified Answer
  • +6 person also asked this people also asked this
  • Locked Locked
  • Replies 42 replies
  • Answers 4 answers
  • Subscribers 35 subscribers
  • Views 50789 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN timeout/key negotion after 8 hours

Jacob Jensen1

Hello,

 

I have a remote user using SSL vpn connect to our main office Sophos XG virtual appliance. After almost exactly 8 hours it seems that the VPN is re-negotiating keys but fails and the VPN connection dies. This is probably because we are using 2 factor authentication?

 

Is there a way to adjust or disable the re-negotiation of the keys so that this will not happen?

 

Regards

Jacob 



This thread was automatically locked due to age.
Parents
  • +3

    Hey  

    I'll attach a screenshot below, but have you tried changing the key lifetime configured in your SSL VPN settings?

    Best,

  • 0 in reply to FloSupport

    Hi FloSupport,

     

    I have not tried that. could i double that without it causing other issues? 57600? an even higher number?

     

    Regards

    Jacob

  • 0 in reply to LuCar Toni

    Hey  

    Yes, I noticed this. But as I described, I already changed the keytime from the ssl vpn to 10 hours but get kicked out again after 8 hours. Therefore I thought it has something to do with the global session timeout, according with my experience a few months ago.  

  • +1 in reply to Jonnie

    Ok, my guess with the global session timeout was correct. The VPN is still connected after 8 hours and I can reach all internal systems. 

    I assume that the setting only applies if you use the OTP Token for authentication and not just the normal username + password combination. 

    Maybe this info will help other customers and also the clueless sophos support. [:#]

  • 0 in reply to Jonnie

    Hey Jonnie,

    this seems legit.

     

    Anybody knows where I can set the setting on an Sophos SG?

     

    Best regards

  • 0 in reply to Jonnie

    I have the exact same issue, after 8 hours all VPN clients dropped connection.

    May anyone let me know the "Maximum session timeout" mean, coz by default the setting is tick to Unlimited, so why after 8 hours it stop SSL VPN with OTP authentication?

    Btw, may I know the best value for "Maximum session timeout" if I want VPN connection still keeping after 12hrs or even more?

  • 0 in reply to Hung Ho

    Hung Ho said:

    I have the exact same issue, after 8 hours all VPN clients dropped connection.

    May anyone let me know the "Maximum session timeout" mean, coz by default the setting is tick to Unlimited, so why after 8 hours it stop SSL VPN with OTP authentication?

    Btw, may I know the best value for "Maximum session timeout" if I want VPN connection still keeping after 12hrs or even more?

     

     
    Hi Hung Ho, 
    Did you changed the key lifetime at the ssl vpn settings to 10 or more hours?
    Maybe the "unlimited" checkbox is inoperative, try to set your favourite timeout? 
  • 0 in reply to Jonnie

    Hi Jonnie,

     

    Did you changed the key lifetime at the ssl vpn settings to 10 or more hours? => No, I still keep it 8 hours. Is need to change to a higher value? Coz I heard the key lifetime is not related to VPN drop.
    Maybe the "unlimited" checkbox is inoperative, try to set your favourite timeout? => Currently, I set it to 12 hours.
  • 0 in reply to Hung Ho

    Hey, 

    I've set both settings to 12 hours, which is working without any further issues. 

    Do you use the mfa or otp token for the ssl vpn? 

  • 0 in reply to Jonnie

    Hi,

    Yes, I used the OTP for SSL VPN. Ok, I will try to set both like you, let see what happen then.

    May I know your value of this section "Simultaneous logins" ?

  • 0 in reply to Hung Ho

    I allowed 3 simultaneous logins. 

    From my understanding the OTP feature is the "problem". 

    If you use the vpn without the OTP Token, the vpn automatically renew it's key after the specified key lifetime. All fine. 

    If you use the vpn with the OTP Token, the vpn and and the otp token are handled separately. 

    The vpn is doing it's vpn things, no matter if the key lifetime is 8 or 12 hours. But the OTP Token is handled as an user session, which is limited to the global maximum session limit. 

    If you reach the the session limit, the vpn seems like it is still active but you can't connect to any systems behind your vpn / xg. Because the user session in the background has ended.  

    At least that is my practical experience.

     

    But there are two main questions: 

    - Why does the "unlimited" Checkbox not work?

    - What If you set the key lifetime to 8 hours and the global session limit to 12 hours? 

    Didn't test this cases. 

  • 0 in reply to Jonnie

    Lets wrap this up.

     

    I would like to ask you guys to test the Sophos Connect Client 2.0 for this.

    https://community.sophos.com/products/xg-firewall/sfos-eap/sophos-connect-eap/b/announcements/posts/sophos-connect-2-0-early-access

     

    A rekey in the current state (SSL & IPsec) is a new Session for the authentication session. Therefore it needs another OTP Token.

    In IPsec, it is 4 Hours until rekey. In SSLVPN it seems to be 8 hours (Needs to be tested). 

     

    Session limited within the User in XG means, the Access_server allows a maximum of X Sessions concurrent. So Login via SSLVPN, Login via User Portal, Login via IPsec = 3 Sessions at the same time. 

     

    Provide your findings on SSLVPN in SC2.0 in the new EAP Forum. 

Reply Children
No Data