Thread Info
  • State Verified Answer
  • +6 person also asked this people also asked this
  • Locked Locked
  • Replies 42 replies
  • Answers 4 answers
  • Subscribers 35 subscribers
  • Views 50826 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN timeout/key negotion after 8 hours

Jacob Jensen1

Hello,

 

I have a remote user using SSL vpn connect to our main office Sophos XG virtual appliance. After almost exactly 8 hours it seems that the VPN is re-negotiating keys but fails and the VPN connection dies. This is probably because we are using 2 factor authentication?

 

Is there a way to adjust or disable the re-negotiation of the keys so that this will not happen?

 

Regards

Jacob 



This thread was automatically locked due to age.
Parents
  • +3

    Hey  

    I'll attach a screenshot below, but have you tried changing the key lifetime configured in your SSL VPN settings?

    Best,

    Florentino
    Director, Global Community & Digital Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0 in reply to FloSupport

    Hi FloSupport,

     

    I have not tried that. could i double that without it causing other issues? 57600? an even higher number?

     

    Regards

    Jacob

  • 0 in reply to Jonnie

    I have tested 3 cases as below. 

    Scenario 1:

    Session timeout: 15

    Key lifetime: 10

    SSL VPN user disconnected after exactly 10 mins.

    Scenario 2:

    Session timeout: 5

    Key lifetime: 10

    SSL VPN user disconnected after exactly 10 mins.

    Scenario 3:

    Session timeout: Unlimit

    Key lifetime: 15

    SSL VPN user disconnected after exactly 15 mins.

     

    I think it not related to the session timeout. It depends on the key lifetime. Something went wrong between key lifetime with OTP. 

    I Hope Sophos Technical looks into this issue asap.

    Thank you.

  • 0 in reply to Hung Ho

    Session timeout is kinda a tricky part of VPN in gerneral. What it means it, if the Client is idle, it starts counting and disconnect after some time, idle. But to estimate, a client is idle, you need to figure out what a IDLE Client means. 

    A Key Lifetime is a fix value: From session establishment to 15 mins. Afterwards rekey the connection. 

     

    In real world, i never recommend using session timeout for ipsec or sslvpn. The quality of life feature for this is not the best. I better work with the Work hour feature of the firewall rules or the user time. 

    That is my feedback about this part. 

     

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hey Lucar,

    I have the same issue. How can I set the generell session timeout on Sophos SG 430?


    Best regards

  • 0 in reply to NewUsername05

    SG or XG? 

    Key Negation or User Session timeout? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hey,

    User Session Timeout. SG 430.

     

    Best regards

  • 0 in reply to NewUsername05

    You should ask this Question in the UTM section.

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thats a nice answer by a staff of sophos...

  • 0 in reply to NewUsername05

    This thread is 3 Pages with content in different direction. Discuss UTM matters in this thread those not help to have a overview. 

    Especially i do not know:

    Do you use Sophos Connect or OpenVPN or the Sophos OpenVPN Client? 

    Do you use AD, Local AD or Radius as a Backend Authentication?

    Do you mean by Session Timeout the Key Lifetime or the User Session by Data with IDLE? 

     

    This questions should be handled by the UTM Section, because the admins there can actually answer all of those questions in a proper manner. I am not having a UTM to interact and verify my answer for UTM. (PS: i could give you a guess, but that is not helpful at all). 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi LuCar Toni,

    My Product is: XG 310, FW 17.5.MR8

    I use Sophos SSL VPN Client. Authentication via AD. SSL VPN users are using the AD account and combine it with OTP to authentication. 

    In the VPN global setting, the default value of Key lifetime is 28800 mean 8 hours.

    Recently, Users report me that their VPN connection always drops the connection exactly 8 hours later. So I think there is something went wrong between key lifetime and OTP.

    Seem this issue only affects when using OTP :) 

     

    Below is my testing after increasing the Key lifetime to 16hrs :), as you can see that the start time and end time exactly 16hrs. Another note, I still keep the "Maximum session timeout" as default. 

  • +1 in reply to Hung Ho

    XG will actually reauth the user after rekey. That is the current design, which is currently under revisit to change. 

    IPsec will rekey after 4 hours. (Coded)

    SSLVPN will rekey after 8 hours. (Adjustable)

     

    That leads to 1-3 OTP Auths per Day in a common scenario, which is annoying but "maybe ok". 

     

    Assuming you will get the same numbers in Sophos Connect 2.0 ? Could you give this a try? 

    https://community.sophos.com/products/xg-firewall/sfos-eap/sophos-connect-eap/b/announcements/posts/sophos-connect-2-0-early-access

     

     

     

    __________________________________________________________________________________________________________________

Reply Children
  • 0 in reply to LuCar Toni

    LuCar Toni said:

     

    That leads to 1-3 OTP Auths per Day in a common scenario, which is annoying but "maybe ok". 

     Assuming you will get the same numbers in Sophos Connect 2.0 ? Could you give this a try? 

    https://community.sophos.com/products/xg-firewall/sfos-eap/sophos-connect-eap/b/announcements/posts/sophos-connect-2-0-early-access

     

     

    That is a bad joke, isn't it? You can't explain you colleagues or even your CEO that he have to reauthenticate just a few times a day, because it's hard coded at the firewall? 

    In times of corona where everyone is reliant to have a stable internet connection. What about Online Meetings, phone calls, file uploads etc. ? "uhm sorry, I have to reauthenticate my vpn client b'cause sophos can't offer an option to adjust the rekey / auth time.  

     

    Yes we could use Sophos Connect 2.0 but only because its was released a few days ago and is still in beta? 

    Anyway what about MacOS Users? 

    I asked the same questions in the Sophos Connect Group, but the only answer is " yeah is at the roadmap". 

     

    Sorry, I really appreciate your support. But this almost the same useless answer which I was get from the regular sophos support as I described before. 

    Sophos should really fix this basic issues! 

  • 0 in reply to Jonnie

    I could not agree more. Sophos Support is getting more and more worrying. Statments like that are totally not acceptable.
    How can it be that its August and still no solution on a simple issue like this?

Cookie Information Banner