Thread Info
  • State Verified Answer
  • +6 person also asked this people also asked this
  • Locked Locked
  • Replies 42 replies
  • Answers 4 answers
  • Subscribers 35 subscribers
  • Views 50821 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN timeout/key negotion after 8 hours

Jacob Jensen1

Hello,

 

I have a remote user using SSL vpn connect to our main office Sophos XG virtual appliance. After almost exactly 8 hours it seems that the VPN is re-negotiating keys but fails and the VPN connection dies. This is probably because we are using 2 factor authentication?

 

Is there a way to adjust or disable the re-negotiation of the keys so that this will not happen?

 

Regards

Jacob 



This thread was automatically locked due to age.
  • 0 in reply to Jonnie

    I have tested 3 cases as below. 

    Scenario 1:

    Session timeout: 15

    Key lifetime: 10

    SSL VPN user disconnected after exactly 10 mins.

    Scenario 2:

    Session timeout: 5

    Key lifetime: 10

    SSL VPN user disconnected after exactly 10 mins.

    Scenario 3:

    Session timeout: Unlimit

    Key lifetime: 15

    SSL VPN user disconnected after exactly 15 mins.

     

    I think it not related to the session timeout. It depends on the key lifetime. Something went wrong between key lifetime with OTP. 

    I Hope Sophos Technical looks into this issue asap.

    Thank you.

  • 0 in reply to Hung Ho

    Session timeout is kinda a tricky part of VPN in gerneral. What it means it, if the Client is idle, it starts counting and disconnect after some time, idle. But to estimate, a client is idle, you need to figure out what a IDLE Client means. 

    A Key Lifetime is a fix value: From session establishment to 15 mins. Afterwards rekey the connection. 

     

    In real world, i never recommend using session timeout for ipsec or sslvpn. The quality of life feature for this is not the best. I better work with the Work hour feature of the firewall rules or the user time. 

    That is my feedback about this part. 

     

  • 0 in reply to LuCar Toni

    Hey Lucar,

    I have the same issue. How can I set the generell session timeout on Sophos SG 430?


    Best regards

  • 0 in reply to NewUsername05

    SG or XG? 

    Key Negation or User Session timeout? 

  • 0 in reply to LuCar Toni

    Hey,

    User Session Timeout. SG 430.

     

    Best regards

  • 0 in reply to NewUsername05

    You should ask this Question in the UTM section.

  • 0 in reply to LuCar Toni

    Thats a nice answer by a staff of sophos...

  • 0 in reply to NewUsername05

    This thread is 3 Pages with content in different direction. Discuss UTM matters in this thread those not help to have a overview. 

    Especially i do not know:

    Do you use Sophos Connect or OpenVPN or the Sophos OpenVPN Client? 

    Do you use AD, Local AD or Radius as a Backend Authentication?

    Do you mean by Session Timeout the Key Lifetime or the User Session by Data with IDLE? 

     

    This questions should be handled by the UTM Section, because the admins there can actually answer all of those questions in a proper manner. I am not having a UTM to interact and verify my answer for UTM. (PS: i could give you a guess, but that is not helpful at all). 

  • 0 in reply to LuCar Toni

    Hi LuCar Toni,

    My Product is: XG 310, FW 17.5.MR8

    I use Sophos SSL VPN Client. Authentication via AD. SSL VPN users are using the AD account and combine it with OTP to authentication. 

    In the VPN global setting, the default value of Key lifetime is 28800 mean 8 hours.

    Recently, Users report me that their VPN connection always drops the connection exactly 8 hours later. So I think there is something went wrong between key lifetime and OTP.

    Seem this issue only affects when using OTP :) 

     

    Below is my testing after increasing the Key lifetime to 16hrs :), as you can see that the start time and end time exactly 16hrs. Another note, I still keep the "Maximum session timeout" as default. 

  • +1 in reply to Hung Ho

    XG will actually reauth the user after rekey. That is the current design, which is currently under revisit to change. 

    IPsec will rekey after 4 hours. (Coded)

    SSLVPN will rekey after 8 hours. (Adjustable)

     

    That leads to 1-3 OTP Auths per Day in a common scenario, which is annoying but "maybe ok". 

     

    Assuming you will get the same numbers in Sophos Connect 2.0 ? Could you give this a try? 

    https://community.sophos.com/products/xg-firewall/sfos-eap/sophos-connect-eap/b/announcements/posts/sophos-connect-2-0-early-access