Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 3402 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Limit Reconnect Attempts for SSL-VPN

IT Support152

Is there a way to suppress reconnect attempts (or limit them, to say, 3) for the SSL-VPN client on XG? We're getting DUO MFA lockouts from users who don't disconnect at the end of the day.  

SSL-MFA attempts to reconnect after a timeout, and then attempts about once per minute for at least 10 times....and at that point DUO locks them out (of DUO), and sends a lockout report to the administrator.   Admin must then unlock the user in DUO before the user can log back in again. 

Thanks.   - asked on Twitter too...don't know if you have a preference.  

Thanks.   



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to IT Support152

    As the client generates those attempts, its likely not possible to prevent this from happening on the radius server.

    Therefore you should move to Sophos Connect to get this done. Its the better solution anyway. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I'm not disputing the Sophos Connect client might be be better.   :-)  Might try this for the user's in question who aren't logging out at the end of the day.  We extended our timeout on the XG side for something like 6 hours so that users wouldn't have to re-log in after taking a break or lunch. 

    But wondering on the SSL-VPN client config if something can be tweaked:  like maybe the resolv-retry infinite? line.   

    ip-win32 dynamic
    client
    dev tun
    proto udp
    explicit-exit-notify
    verify-x509-name "C=GB, ST=Oxfordshire, L=Abingdon, O=Sophos, OU=OU, CN=SophosApplianceCertificate, emailAddress=support@sophos.com"
    route remote_host 255.255.255.255 net_gateway
    resolv-retry infinite
    nobind
    persist-key
    persist-tun

  • FormerMember
    0 FormerMember in reply to IT Support152

    Hi ,

    Did you configure Idle time-out? This feature will disconnect idle clients from the session after the specified time. The default is 15 minutes, you could configure it up to 1 hour. 

    Reference: Add a remote access policy

    Thanks,

  • 0 in reply to FormerMember

    Hi... I don't think it is on the idle-timeout issue....I expect that the connection will be timed out...and that is a good thing.  What I am attempting to do is to limit is the number of retries that the client sends when the connection is broken.  It appears that these are being sent once a minute or so,  and after DUO receives 10 that are unacknowledged Duo will lock out the the user.  (also, not a bad thing). 

    I have been looking into the  resolv-retry infinit setting in the openvpn documentation at Reference manual for OpenVPN 2.1 | OpenVPN

Unfiltered HTML