Is there a way to suppress reconnect attempts (or limit them, to say, 3) for the SSL-VPN client on XG? We're getting DUO MFA lockouts from users who don't disconnect at the end of the day.
SSL-MFA attempts to reconnect after a timeout, and then attempts about once per minute for at least 10 times....and at that point DUO locks them out (of DUO), and sends a lockout report to the administrator. Admin must then unlock the user in DUO before the user can log back in again.
Thanks. - asked on Twitter too...don't know if you have a preference.
Do you use Sophos Connect or SSLVPN Client? Because Sophos Connect should have an option for this.
As the client generates those attempts, its likely not possible to prevent this from happening on the radius server.
Therefore you should move to Sophos Connect to get this done. Its the better solution anyway.
I'm not disputing the Sophos Connect client might be be better. :-) Might try this for the user's in question who aren't logging out at the end of the day. We extended our timeout on the XG side for something like 6 hours so that users wouldn't have to re-log in after taking a break or lunch.
But wondering on the SSL-VPN client config if something can be tweaked: like maybe the resolv-retry infinite? line. ip-win32 dynamicclientdev tunproto udpexplicit-exit-notifyverify-x509-name "C=GB, ST=Oxfordshire, L=Abingdon, O=Sophos, OU=OU, CN=SophosApplianceCertificate, emailAddressfirstname.lastname@example.org"route remote_host 255.255.255.255 net_gatewayresolv-retry infinitenobindpersist-keypersist-tun
Hi IT Support152,
Did you configure Idle time-out? This feature will disconnect idle clients from the session after the specified time. The default is 15 minutes, you could configure it up to 1 hour.
Reference: Add a remote access policy
Community Support Engineer | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' button.
Hi... I don't think it is on the idle-timeout issue....I expect that the connection will be timed out...and that is a good thing. What I am attempting to do is to limit is the number of retries that the client sends when the connection is broken. It appears that these are being sent once a minute or so, and after DUO receives 10 that are unacknowledged Duo will lock out the the user. (also, not a bad thing).
I have been looking into the resolv-retry infinit setting in the openvpn documentation at Reference manual for OpenVPN 2.1 | OpenVPN