Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 27 subscribers
  • Views 2599 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect 2.0 (SSL) closes connection in +/- 4 hours

Maurice van Beelen1

Hi All,

We're currently piloting on small base with Sophos connect 2.0 (2.0.34) and XG 125 (SFOS 18.0.1 MR-1-Build396). I'm quite happy with the new client and the possibility to deploy the client (Msi) and the .pro file! Keep up the good work. 

But...

Now users are reporting disconnects in +/- 4 hours… I have read some old threads about this topic but with clear cause ore solution and they were mostly taling about beta versions.. 

-we're using Sophos OTP
-all time out seetins are maxed
-Encryption key life time is set to 12 hours (this resolves the 'old' ssl vpn issue which disconnects in 8 hours (standard lifetime).
-users are active at he moment the disconnect happens

Does this have something to do with expiring of the OTP?

I'm really nervous about this. I was really concentrated on this solution, but i cant deploy this for 80-100 users when the connection dropt 1 a 2 times a day.

Hopefully someone can help me out here.

Thank you in advance

Maurice



This thread was automatically locked due to age.
Parents
  • 0

    Hi  : 

    Are you referring this settings :

    KBA for reference: support.sophos.com/.../KB-000038464


    If Sophos Connect Client users configured with One time Password then users getting prompt to enter new OTP around every 4 hours by default because Sophos Connect Client is using DefaultRemoteAccess policy which is not editable from GUI and it has default ikekeylife value of 18000.

    With ikekeylife value of 18000 IKE_SA rekeying happen around every 4 hours and re-authentication also happen along with IKE_SA rekeying hence users getting prompt to enter new OTP.

    Currently it is not possible to change/modify DefaultRemoteAccess IPsec policy from XG firewall UI.

    If you want to increase key life time, you may log a support case -  to set ikekeylife value according to your requirement by applying the CLI command changes.

  • 0 in reply to Vishal_R

    Thank you all for the quick response

    I think this is the case here. When i look in the openvpn.log there is a "Enter Management Password" i matches sort of less with the time the user reports the connection is lost and they have to reenter their OTP. It happens indeed in +/- 4 hours with exception of the last time.

    So to make this happen, I need to make a case with support? Do you know the CLI to change the IKE ikekeylife value?

    Thank you in advance

    06:42 (user start working)

    Enter Management Password:

    Mon Nov 23 06:42:26 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
    Mon Nov 23 06:42:26 2020 Need hold release from management interface, waiting...
    Mon Nov 23 06:42:27 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
    Mon Nov 23 06:42:27 2020 MANAGEMENT: CMD 'state on'
    Mon Nov 23 06:42:27 2020 MANAGEMENT: CMD 'log all on'
    Mon Nov 23 06:42:27 2020 MANAGEMENT: CMD 'echo all on'
    Mon Nov 23 06:42:27 2020 MANAGEMENT: CMD 'bytecount 5'
    Mon Nov 23 06:42:27 2020 MANAGEMENT: CMD 'hold off'
    Mon Nov 23 06:42:27 2020 MANAGEMENT: CMD 'hold release'
    Mon Nov 23 06:42:27 2020 MANAGEMENT: CMD 'username "Auth" TR'
    Mon Nov 23 06:42:27 2020 MANAGEMENT: CMD 'password [...]'

    etc etc.

    10:24 Enter Management Password:

    Mon Nov 23 10:24:49 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
    Mon Nov 23 10:24:49 2020 Need hold release from management interface, waiting...
    Mon Nov 23 10:24:50 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
    Mon Nov 23 10:24:50 2020 MANAGEMENT: CMD 'state on'
    Mon Nov 23 10:24:50 2020 MANAGEMENT: CMD 'log all on'
    Mon Nov 23 10:24:50 2020 MANAGEMENT: CMD 'echo all on'
    Mon Nov 23 10:24:50 2020 MANAGEMENT: CMD 'bytecount 5'
    Mon Nov 23 10:24:50 2020 MANAGEMENT: CMD 'hold off'
    Mon Nov 23 10:24:50 2020 MANAGEMENT: CMD 'hold release'
    Mon Nov 23 10:24:50 2020 MANAGEMENT: CMD 'username "Auth" TR'
    Mon Nov 23 10:24:50 2020 MANAGEMENT: CMD 'password [...]'

    14:41 Enter Management Password:

    Mon Nov 23 14:41:17 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
    Mon Nov 23 14:41:17 2020 Need hold release from management interface, waiting...
    Mon Nov 23 14:41:18 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
    Mon Nov 23 14:41:18 2020 MANAGEMENT: CMD 'state on'
    Mon Nov 23 14:41:18 2020 MANAGEMENT: CMD 'log all on'
    Mon Nov 23 14:41:18 2020 MANAGEMENT: CMD 'echo all on'
    Mon Nov 23 14:41:18 2020 MANAGEMENT: CMD 'bytecount 5'
    Mon Nov 23 14:41:18 2020 MANAGEMENT: CMD 'hold off'
    Mon Nov 23 14:41:18 2020 MANAGEMENT: CMD 'hold release'
    Mon Nov 23 14:41:18 2020 MANAGEMENT: CMD 'username "Auth" TR'
    Mon Nov 23 14:41:18 2020 MANAGEMENT: CMD 'password [...]'
    Mon Nov 23 14:41:18 2020 TCP/UDP: Preserving recently used

    etc etc

    15:39'

    Enter Management Password:

    Mon Nov 23 15:39:08 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
    Mon Nov 23 15:39:08 2020 Need hold release from management interface, waiting...
    Mon Nov 23 15:39:08 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
    Mon Nov 23 15:39:08 2020 MANAGEMENT: CMD 'state on'
    Mon Nov 23 15:39:08 2020 MANAGEMENT: CMD 'log all on'
    Mon Nov 23 15:39:08 2020 MANAGEMENT: CMD 'echo all on'
    Mon Nov 23 15:39:08 2020 MANAGEMENT: CMD 'bytecount 5'
    Mon Nov 23 15:39:08 2020 MANAGEMENT: CMD 'hold off'
    Mon Nov 23 15:39:08 2020 MANAGEMENT: CMD 'hold release'
    Mon Nov 23 15:39:08 2020 MANAGEMENT: CMD 'username "Auth" TR'
    Mon Nov 23 15:39:08 2020 MANAGEMENT: CMD 'password [...]'

    etc etc

  • 0 in reply to Maurice van Beelen1

    Hi : I believe you are using Sophos connect client to connect SSL VPN server and not with IPsec remote access. As the logs which you shared seems you have checked in sslvpn.log. 

    This is not the case which I have discussed in last comment and that is observed only if Sophos connect client has been used to connect with IPsec remote access. 

    However for your issue you may log a support case to have further investigation and to confirm more on re connection at every disconnects in +/- 4 hours

Reply
  • 0 in reply to Maurice van Beelen1

    Hi : I believe you are using Sophos connect client to connect SSL VPN server and not with IPsec remote access. As the logs which you shared seems you have checked in sslvpn.log. 

    This is not the case which I have discussed in last comment and that is observed only if Sophos connect client has been used to connect with IPsec remote access. 

    However for your issue you may log a support case to have further investigation and to confirm more on re connection at every disconnects in +/- 4 hours

Children