This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Limit Reconnect Attempts for SSL-VPN

Is there a way to suppress reconnect attempts (or limit them, to say, 3) for the SSL-VPN client on XG? We're getting DUO MFA lockouts from users who don't disconnect at the end of the day.

SSL-MFA attempts to reconnect after a timeout, and then attempts about once per minute for at least 10 times....and at that point DUO locks them out (of DUO), and sends a lockout report to the administrator. Admin must then unlock the user in DUO before the user can log back in again.

Thanks. - asked on Twitter too...don't know if you have a preference.

Thanks.

This thread was automatically locked due to age.

0 LuCar Toni over 3 years ago

Do you use Sophos Connect or SSLVPN Client? Because Sophos Connect should have an option for this.

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/SConProvisioningFile.html

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 IT Support152 over 3 years ago in reply to LuCar Toni

SSl-VPN.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to IT Support152

As the client generates those attempts, its likely not possible to prevent this from happening on the radius server.

Therefore you should move to Sophos Connect to get this done. Its the better solution anyway.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 IT Support152 over 3 years ago in reply to LuCar Toni

I'm not disputing the Sophos Connect client might be be better. :-) Might try this for the user's in question who aren't logging out at the end of the day. We extended our timeout on the XG side for something like 6 hours so that users wouldn't have to re-log in after taking a break or lunch.

But wondering on the SSL-VPN client config if something can be tweaked: like maybe the resolv-retry infinite? line.

ip-win32 dynamic
client
dev tun
proto udp
explicit-exit-notify
verify-x509-name "C=GB, ST=Oxfordshire, L=Abingdon, O=Sophos, OU=OU, CN=SophosApplianceCertificate, emailAddress=support@sophos.com"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 3 years ago in reply to IT Support152

Hi IT Support152,

Did you configure Idle time-out? This feature will disconnect idle clients from the session after the specified time. The default is 15 minutes, you could configure it up to 1 hour.

Reference: Add a remote access policy

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 IT Support152 over 3 years ago in reply to FormerMember

Hi... I don't think it is on the idle-timeout issue....I expect that the connection will be timed out...and that is a good thing. What I am attempting to do is to limit is the number of retries that the client sends when the connection is broken. It appears that these are being sent once a minute or so, and after DUO receives 10 that are unacknowledged Duo will lock out the the user. (also, not a bad thing).

I have been looking into the resolv-retry infinit setting in the openvpn documentation at Reference manual for OpenVPN 2.1 | OpenVPN
Cancel
Vote Up 0 Vote Down

Cancel
0 IT Support152 over 3 years ago

following.
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User4664 over 3 years ago

Any solution? We have the same Problem with DUO and reconnects but using a Sophos SG Firewall.

SSL VPN, macOS 11.4, Client: Tunnelblick 3.8.6
Cancel
Vote Up 0 Vote Down

Cancel
0 IT Support152 over 3 years ago in reply to Sophos User4664

No solution at this point. We've been retraining users to disconnect the VPN at the end of the day if they aren't shutting down their machines. Probably better hygiene anyway, (reduces the "attack surface" of an unattended connected machine), however, the whole thing has been quite a bother.
Cancel
Vote Up 0 Vote Down

Cancel