This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Limit Reconnect Attempts for SSL-VPN

Is there a way to suppress reconnect attempts (or limit them, to say, 3) for the SSL-VPN client on XG? We're getting DUO MFA lockouts from users who don't disconnect at the end of the day.

SSL-MFA attempts to reconnect after a timeout, and then attempts about once per minute for at least 10 times....and at that point DUO locks them out (of DUO), and sends a lockout report to the administrator. Admin must then unlock the user in DUO before the user can log back in again.

Thanks. - asked on Twitter too...don't know if you have a preference.

Thanks.

This thread was automatically locked due to age.

Parents

0 LuCar Toni over 3 years ago

Do you use Sophos Connect or SSLVPN Client? Because Sophos Connect should have an option for this.

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/SConProvisioningFile.html

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 IT Support152 over 3 years ago in reply to LuCar Toni

SSl-VPN.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to IT Support152

As the client generates those attempts, its likely not possible to prevent this from happening on the radius server.

Therefore you should move to Sophos Connect to get this done. Its the better solution anyway.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 LuCar Toni over 3 years ago in reply to IT Support152

As the client generates those attempts, its likely not possible to prevent this from happening on the radius server.

Therefore you should move to Sophos Connect to get this done. Its the better solution anyway.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 IT Support152 over 3 years ago in reply to LuCar Toni

I'm not disputing the Sophos Connect client might be be better. :-) Might try this for the user's in question who aren't logging out at the end of the day. We extended our timeout on the XG side for something like 6 hours so that users wouldn't have to re-log in after taking a break or lunch.

But wondering on the SSL-VPN client config if something can be tweaked: like maybe the resolv-retry infinite? line.

ip-win32 dynamic
client
dev tun
proto udp
explicit-exit-notify
verify-x509-name "C=GB, ST=Oxfordshire, L=Abingdon, O=Sophos, OU=OU, CN=SophosApplianceCertificate, emailAddress=support@sophos.com"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
Cancel
Vote Up 0 Vote Down

Cancel