This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Timeout

By default what is the time out for a SSL VPN connection. Ours seems to kick people off at the 8 hour mark right now.

 

We have both 1FA and 2FA users, i thought it was just the 2FA users because the passwords had expired but the 1FA users say the same thing happens.



This thread was automatically locked due to age.
  • I'm not familiar with this phenomenon, JayMan.  What do you see in the SSL VPN log when this happens?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I realized what was going on. We use 2FA and every time it was going the Key lifetime resync it would see that the 2fa password was no longer valid and boot the person off the VPN. THis doesn't happen with the 1fa logins.

  • Is this something that can be adjusted on the 2FA logins so that it doesn't time out?

  • Interesting - does the same thing happen with L2TP/IPsec?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I don't have any client VPNs that use L2TP/IPsec.  I believe JayMan is correct and it's the key lifetime.  I found under remote access > ssl > advanced under cryptographic settings key lifetime i have key lifetime as 28800 seconds.  When it tries to renegotiate, the 2FA fails and the connection drops.  Unfortunately the UTM won't allow this to be set to 0 so I'll have to try the largest setting of 86400.

    I note that in my client setting configuration it contains "reneg-sec 0" but looks like 28800 from the server wins.

  • I just confirmed with cc that that's the default setting for clients, Kevin.  Also, OpenVPN docs confirm that only one side can have the 0 setting - the other sets the lifetime.  With 1FA, the key is renegotiated with the credentials cached by the client.  The credentials for the OTP are not cached by the client, but I don't think there's a mechanism for the server side in the UTM to process the second factor automatically, either.  The only solution, again, according to comments in the OpenVPN forum, is the one you guys have found.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA