Thread Info
  • State Verified Answer
  • +6 person also asked this people also asked this
  • Locked Locked
  • Replies 42 replies
  • Answers 4 answers
  • Subscribers 46 subscribers
  • Views 55426 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN timeout/key negotion after 8 hours

Jacob Jensen1

Hello,

 

I have a remote user using SSL vpn connect to our main office Sophos XG virtual appliance. After almost exactly 8 hours it seems that the VPN is re-negotiating keys but fails and the VPN connection dies. This is probably because we are using 2 factor authentication?

 

Is there a way to adjust or disable the re-negotiation of the keys so that this will not happen?

 

Regards

Jacob 



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to FloSupport

    OK thank you.

     

    Before switching to XG we were using an openvpn appliance (https://openvpn.net/) Back then we never had this problem. Should the XG not be able to renegotiate the keys without disconnecting the client even though we are working with 2 factor authentication?

     

    Im trying to figure out if this is a bug in XG or why this was not happening on the old openvpn appliance?

     

    Regards

    Jacob

  • 0 in reply to Jacob Jensen1

    Hey  

    The client shouldn't be disconnected as a result of the key renegotiation process. Are you able to perform a test to verify by decreasing your Key Lifetime to a shorter duration (60 seconds) and confirming the result?

    This issue could be caused by the 2 factor authentication when rekeying is performed.

    Please keep me updated.

    Best,

    Florentino
    Director, Global Community & Digital Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0 in reply to FloSupport

    Hi Flo,

    I already have a log of the failing attempt. As you can see the VPN is initialized at 08:02:18 and keys renegotiated at around 16:00.

    Wed Apr 18 08:02:18 2018 /sbin/ip link set dev tun0 up mtu 1500 Wed Apr 18 08:02:18 2018 /sbin/ip addr add dev tun0 192.168.200.7/24 broadcast 192.168.200.255 Wed Apr 18 08:02:22 2018 /sbin/ip route add xx.xx.xx.xx/32 via 192.168.24.1 Wed Apr 18 08:02:22 2018 /sbin/ip route add 192.168.100.0/24 via
    192.168.200.5
    Wed Apr 18 08:02:22 2018 /sbin/ip route add 192.168.101.0/24 via
    192.168.200.5
    Wed Apr 18 08:02:22 2018 /sbin/ip route add xx.xx.xx.xx/32 via
    192.168.200.5
    Wed Apr 18 08:02:22 2018 /sbin/ip route add xx.xx.xx.xx/32 via
    192.168.200.5
    Wed Apr 18 08:02:22 2018 /sbin/ip route add xx.xx.xx.xx/32 via
    192.168.200.5
    Wed Apr 18 08:02:22 2018 Initialization Sequence Completed Wed Apr 18 16:02:11 2018 VERIFY OK: depth=1, C=xx, ST=xxxxxxxx, L=xxxxxxx, O=xxxxxxxxxxxxx, OU=IT, CN=Sophos_CA_C0100xxxxxxxHE5, emailAddress=xxxxxxxxxx Wed Apr 18 16:02:11 2018 VERIFY X509NAME OK: C=DK, ST=xxxxxx, L=xxxxxx, O=xxxxxxx A, CN=SophosApplianceCertificate_C0100xxxxxxHE5, emailAddress=xxxxxxxxxx Wed Apr 18 16:02:11 2018 VERIFY OK: depth=0, C=DK, ST=xxxxxxx, L=xxxxx, O=xxxxxxx, CN=SophosApplianceCertificate_C01001xxxxHHE5, emailAddress=xxxxxxxx Wed Apr 18 16:02:12 2018 Data Channel Encrypt: Cipher 'AES-128-CBC'
    initialized with 128 bit key
    Wed Apr 18 16:02:12 2018 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication Wed Apr 18 16:02:12 2018 Data Channel Decrypt: Cipher 'AES-128-CBC'
    initialized with 128 bit key
    Wed Apr 18 16:02:12 2018 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication Wed Apr 18 16:02:12 2018 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Wed Apr 18 16:09:09 2018 Connection reset, restarting [0] Wed Apr 18 16:09:09 2018 SIGUSR1[soft,connection-reset] received, process restarting Wed Apr 18 16:09:09 2018 Restart pause, 5 second(s) Wed Apr 18 16:09:14 2018 Socket Buffers: R=[87380->87380] S=[16384->16384] Wed Apr 18 16:09:14 2018 Attempting to establish TCP connection with
    [AF_INET]xx.xx.xx.xx:8443 [nonblock]
    Wed Apr 18 16:09:15 2018 TCP connection established with
    [AF_INET]xx.xx.xx.xx:8443
    Wed Apr 18 16:09:15 2018 TCPv4_CLIENT link local: [undef] Wed Apr 18 16:09:15 2018 TCPv4_CLIENT link remote: [AF_INET]xx.xx.xx.xx:8443 Wed Apr 18 16:09:15 2018 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:8443, sid=da45xxx 4ca57334 Wed Apr 18 16:09:15 2018 VERIFY OK: depth=1, C=DK, ST=xxxxxxxxx, L=xxxxxxx, O=xxxxxxxxx, OU=IT, CN=Sophos_CA_C010xxxxDFHHHE5, emailAddress=xxxxxxx Wed Apr 18 16:09:15 2018 VERIFY X509NAME OK: C=DK, ST=xxxxxx, L=xxxxxx, O=xxxxxxxx, CN=SophosApplianceCertificate_C0xxxxxxFHHHE5, emailAddress=xxxxxxxxxx Wed Apr 18 16:09:15 2018 VERIFY OK: depth=0, C=DK, ST=xxxxxx, L=xxxxxx, O=xxxxxxx, CN=SophosApplianceCertificate_C010017QDFHHHE5, emailAddress=xxxxxxx Wed Apr 18 16:09:16 2018 Data Channel Encrypt: Cipher 'AES-128-CBC'
    initialized with 128 bit key
    Wed Apr 18 16:09:16 2018 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication Wed Apr 18 16:09:16 2018 Data Channel Decrypt: Cipher 'AES-128-CBC'
    initialized with 128 bit key
    Wed Apr 18 16:09:16 2018 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication Wed Apr 18 16:09:16 2018 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Wed Apr 18 16:09:16 2018 [SophosApplianceCertificate_C0100xxxxxxxHHE5]
    Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:8443 Wed Apr 18 16:09:18 2018 SENT CONTROL
    [SophosApplianceCertificate_C010xxxxxFHHHE5]: 'PUSH_REQUEST' (status=1) Wed Apr 18 16:09:18 2018 AUTH: Received control message: AUTH_FAILED Wed Apr 18 16:09:18 2018 /sbin/ip route del xx.xx.xx.xx/32 Wed Apr 18 16:09:18 2018 /sbin/ip route del xx.xx.xx.xx/32 Wed Apr 18 16:09:18 2018 /sbin/ip route del xx.xx.xx.xx/32 Wed Apr 18 16:09:18 2018 /sbin/ip route del 192.168.101.0/24 Wed Apr 18 16:09:18 2018 /sbin/ip route del 192.168.100.0/24 Wed Apr 18 16:09:18 2018 /sbin/ip route del xx.xx.xx.xx/32 Wed Apr 18 16:09:18 2018 Closing TUN/TAP interface Wed Apr 18 16:09:18 2018 /sbin/ip addr del dev tun0 192.168.200.7/24 Wed Apr 18 16:09:18 2018 SIGTERM[soft,auth-failure] received, process exiting

     

    It does say AUTH_FAILED and that would make says if it tries to reuse the password from 08:00 because that ofcourse has changed due to the use of 2 factor auth. This was however not an issue with the old solution based on openvpn ALSO using 2 factor auth.

     

    Regards

    Jacob

  • 0 in reply to Jacob Jensen1

    Could you please verify if you experience the same issue when you decrease the Key Lifetime to 60 seconds?

    Also what method of 2 factor authentication are you using?

    Thanks,

    Florentino
    Director, Global Community & Digital Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0 in reply to FloSupport

    Hello, i have more or less the same problem. Key lifetime is 8 hours and with 2factor auth the connection goes down after 8 hours.

    I would not like to change much in that session cause i am not sure about the effect ? The setting of key lifetime is firewall side only or

    do i have to send the users a new certificate after that change ?  Or can i change it also to 9 hours without any outage of the users 

    connection ? 

     

    BR

    Marco

  • +1 in reply to marco_47d

    Hi  

    See what I mentioned above regarding the risks of increasing the key lifetime. Generally, changing the settings on that SSL VPN configuration window will require users to re-download their SSL VPN configuration from the user portal.

    Regards,

    Florentino
    Director, Global Community & Digital Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0 in reply to FloSupport

    Thank you very much. I will tell the  user to reconnect after lunchbreak. Its not a good idea to tell the user to download a new certificate 

    there will be to much problems in that process. I am happy to have 150 user working with vpn and not want to run in problems. 

     

    BR

    Marco

  • +1 in reply to marco_47d

    I've verified that the Key lifetime value is a timeout option pushed to the client during client/server negotiations. Clients will not need to re-download their VPN profile if the Key lifetime value is change. However, applying this change does disconnect connected VPN clients and may require them to authenticate if OTP is enabled.

  • 0 in reply to Derek Preston

    Hey, 

    Sorry that I dig out this old question, but I've the same problem with our users.

    I changed key lifetime to 10 hours and also downloaded the ssl config once again, even Jacob reported that it's not necessary. 

    But my users still get disconnected after 8 hours. 

    Any further Ideas?  We're actual on 17 MR10

     

    Regards, 

    Jonny

  • 0 in reply to Jonnie

    Any updates on this?  We are also having users disconnected after the 8 hour mark.  This is causing a lot of confusion and frustration for our remote users (which in today's world is most users).

Unfiltered HTML