Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN timeout/key negotion after 8 hours



I have a remote user using SSL vpn connect to our main office Sophos XG virtual appliance. After almost exactly 8 hours it seems that the VPN is re-negotiating keys but fails and the VPN connection dies. This is probably because we are using 2 factor authentication?


Is there a way to adjust or disable the re-negotiation of the keys so that this will not happen?




This thread was automatically locked due to age.
  • Hey  

    I'll attach a screenshot below, but have you tried changing the key lifetime configured in your SSL VPN settings?


    Director, Global Community & Digital Support

    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • Hi FloSupport,


    I have not tried that. could i double that without it causing other issues? 57600? an even higher number?




  • Hello, i have more or less the same problem. Key lifetime is 8 hours and with 2factor auth the connection goes down after 8 hours.

    I would not like to change much in that session cause i am not sure about the effect ? The setting of key lifetime is firewall side only or

    do i have to send the users a new certificate after that change ?  Or can i change it also to 9 hours without any outage of the users 

    connection ? 




  • Hi  

    See what I mentioned above regarding the risks of increasing the key lifetime. Generally, changing the settings on that SSL VPN configuration window will require users to re-download their SSL VPN configuration from the user portal.


    Director, Global Community & Digital Support

    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • Thank you very much. I will tell the  user to reconnect after lunchbreak. Its not a good idea to tell the user to download a new certificate 

    there will be to much problems in that process. I am happy to have 150 user working with vpn and not want to run in problems. 




  • I've verified that the Key lifetime value is a timeout option pushed to the client during client/server negotiations. Clients will not need to re-download their VPN profile if the Key lifetime value is change. However, applying this change does disconnect connected VPN clients and may require them to authenticate if OTP is enabled.

  • Hey, 

    Sorry that I dig out this old question, but I've the same problem with our users.

    I changed key lifetime to 10 hours and also downloaded the ssl config once again, even Jacob reported that it's not necessary. 

    But my users still get disconnected after 8 hours. 

    Any further Ideas?  We're actual on 17 MR10




  • Any updates on this?  We are also having users disconnected after the 8 hour mark.  This is causing a lot of confusion and frustration for our remote users (which in today's world is most users).

  • FormerMember
    0 FormerMember in reply to Jonnie


    With the key lifetime value 10 hours users should not get disconnected after 8 hours, key life time value defines that the keys will expire after configured time and disconnects the user to reset the keys. There are no other settings on the firewall that would cause this disconnects after 8 hours, I think it is possible that user got disconnected for some other reason. 

    Could you please provide client logs around the time that user got disconnected? 


  • Hey H_Patel, 


    Thanks for your reply. I've have installed the OpenVPN GUI, because I can't run Sophos SSL VPN Client as a service or? Without the use of a windows service, the log will be lost with the next restart of the Sophos VPN client. 

    I will monitor this behaviour and post the log maybe next week after the public holidays.

  • Worth adding that we've just added 100 users to our Sophos XG using SSL VPN. Users getting disconnected after 8 hours. Changed the key lifetime in VPN settings to give 12 hours. Clients were disconnected and had to reconnect but the sessions now last 12 hours. SSL Client or config, as others say, doesn't need to be downloaded again.

  • Hey, 


    Today I could verify the issue by myself. I've started the VPN at 9:10 am and get "disconnected" at 17:10 pm, exact 8 hours later. 

    The curious thing is, that my active RDP Connection has been disconnected but my vpn is still active? 

    Checked internet access --> ok , checked my public ip --> From the xg and not from my homeoffice, checked ICMP to recently connected server --> FAIL


    I remembered that I have a similar issue months ago, where our ssl vpn users has been kicked off after exactly 15 mins. 

    The VPN client still says connected, but no connection to our internal servers. I've discussed this issue several times with the support hotline, but they don't understand the problem, even with a Support Session in the same moment where the disconnect happens. I was angry as hell! 

    So I checked all possible "time" fields at the XG and noticed that I have set the "Maximum Session Timeout" at the Global Settings under Services to 15min. My thought was, that this settings only apply to the user portal and not to the ssl vpn itself. But after I set this to 8 hours, the issue was resolved. 


    Am I right assuming that the "Maximum Session Timout" could affect the ssl vpn with the otp token? 

    Because I already set the Key Lifetime to 10 hours and downloaded the ssl config once again. This is the only settings which make sense to me, after my story as described above. 

    I will try it tomorrow once again but I would appreciate a confirmation from the forum support. :) 


  • Hey, 


    Today I could verify the issue by myself. I've started the VPN at 9:10 am and get "disconnected" at 17:10 pm, exact 8 hours later. 

    The curious thing is, that my active RDP Connection has been disconnected but my vpn is still active? 

    Checked internet access --> ok , checked my public ip --> From the xg and not from my homeoffice, checked ICMP to recently connected server --> FAIL


    I remembered that I have a similar issue months ago, where our ssl vpn users has been kicked off after exactly 15 mins. 

    The VPN client still says connected, but no connection to our internal servers. I've discussed this issue several times with the support hotline, but they don't understand the problem, even with a Support Session in the same moment where the disconnect happens. I was angry as hell! 

    So I checked all possible "time" fields at the XG and noticed that I have set the "Maximum Session Timeout" at the Global Settings under Services to 15min. My thought was, that this settings only apply to the user portal and not to the ssl vpn itself. But after I set this to 8 hours, the issue was resolved. 


    Am I right assuming that the "Maximum Session Timout" could affect the ssl vpn with the otp token? 

    Because I already set the Key Lifetime to 10 hours and downloaded the ssl config once again. This is the only settings which make sense to me, after my story as described above. 

    I will try it tomorrow once again but I would appreciate a confirmation from the forum support. :) 


No Data