Thread Info
  • State Verified Answer
  • +6 person also asked this people also asked this
  • Locked Locked
  • Replies 42 replies
  • Answers 4 answers
  • Subscribers 46 subscribers
  • Views 55297 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN timeout/key negotion after 8 hours

Jacob Jensen1

Hello,

 

I have a remote user using SSL vpn connect to our main office Sophos XG virtual appliance. After almost exactly 8 hours it seems that the VPN is re-negotiating keys but fails and the VPN connection dies. This is probably because we are using 2 factor authentication?

 

Is there a way to adjust or disable the re-negotiation of the keys so that this will not happen?

 

Regards

Jacob 



This thread was automatically locked due to age.
  • +3

    Hey  

    I'll attach a screenshot below, but have you tried changing the key lifetime configured in your SSL VPN settings?

    Best,

    Florentino
    Director, Global Community & Digital Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0 in reply to FloSupport

    Hi FloSupport,

     

    I have not tried that. could i double that without it causing other issues? 57600? an even higher number?

     

    Regards

    Jacob

  • 0 in reply to Jacob Jensen1

    Hey  

    Apologies for the delay in response!

    You could configure this with a higher number, but please keep in mind this will decrease your level of network security. For reference from our XG admin guide (p.236-237), "Key generation and key rotation are important because the longer the life of the key, the larger the amount of data at risk, and the easier it becomes to intercept more ciphered text for analysis."

    I would also advise looking online for more information to help you make an informed decision about choosing the key lifetime for your network.

    Best,

    Florentino
    Director, Global Community & Digital Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0 in reply to FloSupport

    OK thank you.

     

    Before switching to XG we were using an openvpn appliance (https://openvpn.net/) Back then we never had this problem. Should the XG not be able to renegotiate the keys without disconnecting the client even though we are working with 2 factor authentication?

     

    Im trying to figure out if this is a bug in XG or why this was not happening on the old openvpn appliance?

     

    Regards

    Jacob

  • 0 in reply to Jacob Jensen1

    Hey  

    The client shouldn't be disconnected as a result of the key renegotiation process. Are you able to perform a test to verify by decreasing your Key Lifetime to a shorter duration (60 seconds) and confirming the result?

    This issue could be caused by the 2 factor authentication when rekeying is performed.

    Please keep me updated.

    Best,

    Florentino
    Director, Global Community & Digital Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0 in reply to FloSupport

    Hi Flo,

    I already have a log of the failing attempt. As you can see the VPN is initialized at 08:02:18 and keys renegotiated at around 16:00.

    Wed Apr 18 08:02:18 2018 /sbin/ip link set dev tun0 up mtu 1500 Wed Apr 18 08:02:18 2018 /sbin/ip addr add dev tun0 192.168.200.7/24 broadcast 192.168.200.255 Wed Apr 18 08:02:22 2018 /sbin/ip route add xx.xx.xx.xx/32 via 192.168.24.1 Wed Apr 18 08:02:22 2018 /sbin/ip route add 192.168.100.0/24 via
    192.168.200.5
    Wed Apr 18 08:02:22 2018 /sbin/ip route add 192.168.101.0/24 via
    192.168.200.5
    Wed Apr 18 08:02:22 2018 /sbin/ip route add xx.xx.xx.xx/32 via
    192.168.200.5
    Wed Apr 18 08:02:22 2018 /sbin/ip route add xx.xx.xx.xx/32 via
    192.168.200.5
    Wed Apr 18 08:02:22 2018 /sbin/ip route add xx.xx.xx.xx/32 via
    192.168.200.5
    Wed Apr 18 08:02:22 2018 Initialization Sequence Completed Wed Apr 18 16:02:11 2018 VERIFY OK: depth=1, C=xx, ST=xxxxxxxx, L=xxxxxxx, O=xxxxxxxxxxxxx, OU=IT, CN=Sophos_CA_C0100xxxxxxxHE5, emailAddress=xxxxxxxxxx Wed Apr 18 16:02:11 2018 VERIFY X509NAME OK: C=DK, ST=xxxxxx, L=xxxxxx, O=xxxxxxx A, CN=SophosApplianceCertificate_C0100xxxxxxHE5, emailAddress=xxxxxxxxxx Wed Apr 18 16:02:11 2018 VERIFY OK: depth=0, C=DK, ST=xxxxxxx, L=xxxxx, O=xxxxxxx, CN=SophosApplianceCertificate_C01001xxxxHHE5, emailAddress=xxxxxxxx Wed Apr 18 16:02:12 2018 Data Channel Encrypt: Cipher 'AES-128-CBC'
    initialized with 128 bit key
    Wed Apr 18 16:02:12 2018 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication Wed Apr 18 16:02:12 2018 Data Channel Decrypt: Cipher 'AES-128-CBC'
    initialized with 128 bit key
    Wed Apr 18 16:02:12 2018 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication Wed Apr 18 16:02:12 2018 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Wed Apr 18 16:09:09 2018 Connection reset, restarting [0] Wed Apr 18 16:09:09 2018 SIGUSR1[soft,connection-reset] received, process restarting Wed Apr 18 16:09:09 2018 Restart pause, 5 second(s) Wed Apr 18 16:09:14 2018 Socket Buffers: R=[87380->87380] S=[16384->16384] Wed Apr 18 16:09:14 2018 Attempting to establish TCP connection with
    [AF_INET]xx.xx.xx.xx:8443 [nonblock]
    Wed Apr 18 16:09:15 2018 TCP connection established with
    [AF_INET]xx.xx.xx.xx:8443
    Wed Apr 18 16:09:15 2018 TCPv4_CLIENT link local: [undef] Wed Apr 18 16:09:15 2018 TCPv4_CLIENT link remote: [AF_INET]xx.xx.xx.xx:8443 Wed Apr 18 16:09:15 2018 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:8443, sid=da45xxx 4ca57334 Wed Apr 18 16:09:15 2018 VERIFY OK: depth=1, C=DK, ST=xxxxxxxxx, L=xxxxxxx, O=xxxxxxxxx, OU=IT, CN=Sophos_CA_C010xxxxDFHHHE5, emailAddress=xxxxxxx Wed Apr 18 16:09:15 2018 VERIFY X509NAME OK: C=DK, ST=xxxxxx, L=xxxxxx, O=xxxxxxxx, CN=SophosApplianceCertificate_C0xxxxxxFHHHE5, emailAddress=xxxxxxxxxx Wed Apr 18 16:09:15 2018 VERIFY OK: depth=0, C=DK, ST=xxxxxx, L=xxxxxx, O=xxxxxxx, CN=SophosApplianceCertificate_C010017QDFHHHE5, emailAddress=xxxxxxx Wed Apr 18 16:09:16 2018 Data Channel Encrypt: Cipher 'AES-128-CBC'
    initialized with 128 bit key
    Wed Apr 18 16:09:16 2018 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication Wed Apr 18 16:09:16 2018 Data Channel Decrypt: Cipher 'AES-128-CBC'
    initialized with 128 bit key
    Wed Apr 18 16:09:16 2018 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication Wed Apr 18 16:09:16 2018 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Wed Apr 18 16:09:16 2018 [SophosApplianceCertificate_C0100xxxxxxxHHE5]
    Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:8443 Wed Apr 18 16:09:18 2018 SENT CONTROL
    [SophosApplianceCertificate_C010xxxxxFHHHE5]: 'PUSH_REQUEST' (status=1) Wed Apr 18 16:09:18 2018 AUTH: Received control message: AUTH_FAILED Wed Apr 18 16:09:18 2018 /sbin/ip route del xx.xx.xx.xx/32 Wed Apr 18 16:09:18 2018 /sbin/ip route del xx.xx.xx.xx/32 Wed Apr 18 16:09:18 2018 /sbin/ip route del xx.xx.xx.xx/32 Wed Apr 18 16:09:18 2018 /sbin/ip route del 192.168.101.0/24 Wed Apr 18 16:09:18 2018 /sbin/ip route del 192.168.100.0/24 Wed Apr 18 16:09:18 2018 /sbin/ip route del xx.xx.xx.xx/32 Wed Apr 18 16:09:18 2018 Closing TUN/TAP interface Wed Apr 18 16:09:18 2018 /sbin/ip addr del dev tun0 192.168.200.7/24 Wed Apr 18 16:09:18 2018 SIGTERM[soft,auth-failure] received, process exiting

     

    It does say AUTH_FAILED and that would make says if it tries to reuse the password from 08:00 because that ofcourse has changed due to the use of 2 factor auth. This was however not an issue with the old solution based on openvpn ALSO using 2 factor auth.

     

    Regards

    Jacob

  • 0 in reply to Jacob Jensen1

    Could you please verify if you experience the same issue when you decrease the Key Lifetime to 60 seconds?

    Also what method of 2 factor authentication are you using?

    Thanks,

    Florentino
    Director, Global Community & Digital Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0 in reply to FloSupport

    Hello, i have more or less the same problem. Key lifetime is 8 hours and with 2factor auth the connection goes down after 8 hours.

    I would not like to change much in that session cause i am not sure about the effect ? The setting of key lifetime is firewall side only or

    do i have to send the users a new certificate after that change ?  Or can i change it also to 9 hours without any outage of the users 

    connection ? 

     

    BR

    Marco

  • +1 in reply to marco_47d

    Hi  

    See what I mentioned above regarding the risks of increasing the key lifetime. Generally, changing the settings on that SSL VPN configuration window will require users to re-download their SSL VPN configuration from the user portal.

    Regards,

    Florentino
    Director, Global Community & Digital Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
Unfiltered HTML