This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN with OTP: users have to reenter credentials after disconnect

We are using SSL VPN to work from home. Everyone authenticates with their AD password and an OTP.

Most of the time it is working fine but some users have a bad internet connection and disconnect a few times a day. After a disconnect even if it is just a few seconds Sophos SSL VPN Client is unable to reconnect. I suppose that is because the OTP is not valid anymore?

Is it somehow possible for the VPN Client to reconnect without disabling OTP?



This thread was automatically locked due to age.
  • Are you seeing "TLS keys are out of sync" for the users loosing their connection?  

  • I think you are right.
    With OTP reconnect fails, because the OTP provided isn't current any more.
    No solution until now.
    You should send your idea to sophos.

    ideas.sophos.com/.../17359-sg-utm

     


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Yes, at the time of a disconnect the VPN firewall log reads:

    2020:04:22-08:26:55 fw-1 openvpn[25345]: TCP connection established with [AF_INET]321.321.321.321:35067 (via [AF_INET]123.123.123.123:443)
    2020:04:22-08:26:56 fw-1 openvpn[25345]: 321.321.321.321:35067 TLS: Initial packet from [AF_INET]321.321.321.321:35067 (via [AF_INET]123.123.123.123:443), sid=af50eeba f227d93b
    2020:04:22-08:26:56 fw-1 openvpn[25345]: 321.321.321.321:35067 VERIFY OK: [...]
    2020:04:22-08:26:56 fw-1 openvpn[25345]: 321.321.321.321:35067 VERIFY OK: [...]
    2020:04:22-08:26:56 fw-1 openvpn[25345]: 321.321.321.321:35067 VERIFY OK: [...]
    2020:04:22-08:26:56 fw-1 openvpn[25345]: 321.321.321.321:35067 VERIFY OK: [...]
    2020:04:22-08:26:57 fw-1 openvpn[25345]: 321.321.321.321:35067 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
    2020:04:22-08:26:57 fw-1 openvpn[25345]: 321.321.321.321:35067 TLS: Username/Password authentication deferred for username 'someuser' [CN SET]
    2020:04:22-08:26:57 fw-1 openvpn[25345]: 321.321.321.321:35067 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    2020:04:22-08:26:57 fw-1 openvpn[25345]: 321.321.321.321:35067 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    2020:04:22-08:26:57 fw-1 openvpn[25345]: 321.321.321.321:35067 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    2020:04:22-08:26:57 fw-1 openvpn[25345]: 321.321.321.321:35067 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    2020:04:22-08:26:57 fw-1 openvpn[25345]: 321.321.321.321:35067 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    2020:04:22-08:26:57 fw-1 openvpn[25345]: 321.321.321.321:35067 [someuser] Peer Connection Initiated with [AF_INET]321.321.321.321:35067 (via [AF_INET]123.123.123.123:443)
    2020:04:22-08:26:57 fw-1 openvpn[25345]: 321.321.321.321:35067 TLS Error: local/remote TLS keys are out of sync: [AF_INET]321.321.321.321:35067 (via [AF_INET]123.123.123.123:443) [0]
    2020:04:22-08:26:57 fw-1 openvpn[25345]: 321.321.321.321:35067 TLS Error: local/remote TLS keys are out of sync: [AF_INET]321.321.321.321:35067 (via [AF_INET]123.123.123.123:443) [0]
    2020:04:22-08:26:57 fw-1 openvpn[25345]: 321.321.321.321:35067 TLS Error: local/remote TLS keys are out of sync: [AF_INET]321.321.321.321:35067 (via [AF_INET]123.123.123.123:443) [0]
    2020:04:22-08:26:59 fw-1 openvpn[25345]: 321.321.321.321:35067 TLS Error: local/remote TLS keys are out of sync: [AF_INET]321.321.321.321:35067 (via [AF_INET]123.123.123.123:443) [0]
    2020:04:22-08:26:59 fw-1 openvpn[25345]: 321.321.321.321:35067 PUSH: Received control message: 'PUSH_REQUEST'
    2020:04:22-08:26:59 fw-1 openvpn[25345]: 321.321.321.321:35067 Delayed exit in 5 seconds
    2020:04:22-08:26:59 fw-1 openvpn[25345]: 321.321.321.321:35067 SENT CONTROL [someuser]: 'AUTH_FAILED' (status=1)
    2020:04:22-08:26:59 fw-1 openvpn[25345]: 321.321.321.321:35067 Connection reset, restarting [0]
    2020:04:22-08:26:59 fw-1 openvpn[25345]: 321.321.321.321:35067 SIGUSR1[soft,connection-reset] received, client-instance restarting


    And on the VPN client:

    Wed Apr 22 08:26:38 2020 read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (code=10060)
    Wed Apr 22 08:26:38 2020 Connection reset, restarting [-1]
    Wed Apr 22 08:26:38 2020 SIGUSR1[soft,connection-reset] received, process restarting
    Wed Apr 22 08:26:38 2020 MANAGEMENT: >STATE:1587536798,RECONNECTING,connection-reset,,,,,
    Wed Apr 22 08:26:38 2020 Restart pause, 5 second(s)
    Wed Apr 22 08:26:43 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Wed Apr 22 08:26:43 2020 MANAGEMENT: >STATE:1587536803,RESOLVE,,,,,,
    Wed Apr 22 08:26:55 2020 Attempting to establish TCP connection with [AF_INET]123.123.123.123:443 [nonblock]
    Wed Apr 22 08:26:55 2020 MANAGEMENT: >STATE:1587536815,TCP_CONNECT,,,,,,
    Wed Apr 22 08:26:56 2020 TCP connection established with [AF_INET]123.123.123.123:443
    Wed Apr 22 08:26:56 2020 TCPv4_CLIENT link local: [undef]
    Wed Apr 22 08:26:56 2020 TCPv4_CLIENT link remote: [AF_INET]123.123.123.123:443
    Wed Apr 22 08:26:56 2020 MANAGEMENT: >STATE:1587536816,WAIT,,,,,,
    Wed Apr 22 08:26:56 2020 MANAGEMENT: >STATE:1587536816,AUTH,,,,,,
    Wed Apr 22 08:26:56 2020 TLS: Initial packet from [AF_INET]123.123.123.123:443, sid=2682d39e a0d43db1
    Wed Apr 22 08:26:56 2020 VERIFY OK: [...]
    Wed Apr 22 08:26:56 2020 VERIFY X509NAME OK: [...]
    Wed Apr 22 08:26:56 2020 VERIFY OK: [...]
    Wed Apr 22 08:26:57 2020 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Wed Apr 22 08:26:57 2020 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Apr 22 08:26:57 2020 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Wed Apr 22 08:26:57 2020 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Apr 22 08:26:57 2020 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Wed Apr 22 08:26:57 2020 [fw.domain.de] Peer Connection Initiated with [AF_INET]123.123.123.123:443
    Wed Apr 22 08:26:58 2020 MANAGEMENT: >STATE:1587536818,GET_CONFIG,,,,,,
    Wed Apr 22 08:26:59 2020 SENT CONTROL [fw.domain.de]: 'PUSH_REQUEST' (status=1)
    Wed Apr 22 08:26:59 2020 AUTH: Received control message: AUTH_FAILED
    Wed Apr 22 08:26:59 2020 SIGUSR1[soft,auth-failure] received, process restarting

  • I did a similar post and the person who responded said to maybe increase the key lifetime to 10 hours.  Since we are using OTP it can't auto-reconnect.

  • Remote Access > SSL > Advanced > Key Lifetime? I changed that a few weeks ago from 8h to 12h but that's not the problem.

    Users are getting disconnected before the Key Lifetime runs out. Sometimes a few miunutes after they first connect for the day. I suppose because of bad wifi connection.

  • Probably a bad connection.  I've already had to prove to multiple employees their wireless stinks at home, by remoting in and installing inSSIDer.  After that I was able to show them they were connecting at -75dB+ and that is unreliable.  I had to make up multiple 40-50ft patch cables or tell people over the phone to move their cable modems to the office they are working out of.

  • I think I managed to fix it. 

    About a week ago I changed the protocol (Remote Access -> SSL -> Settings -> Protocol) from TCP to UDP. Every user had to install the new config and there hasn't been a complaint since.

  • Even with UDP, I believe the OTP thing still is an issue if they have to reconnect.  I have UDP enabled on ours as well.  Issue could've been crappy Internet and with TCP it failed during the handshakes and disconnected their session.