Sophos SSL VPN Authentication Failure?

Question

Hey guys! Hoping someone can assist, I have a Sophos XG125 (SFOS 19.0.1 MR-1-Build365) 
 Our SSL-VPN policy services about 20 users with multifactor authentication using the Sophos VPN Client. 1 user, just the one, is experiencing an issue where they are intermittently get booted from the VPN roughly 30-50 minutes after connecting. The Sophos Connect application appears to simply drop the connection and alerts the user to reconnect. The user can then reconnect and resume working with no issue - but you can see where having to do this daily, every 30-minutes or so, would become an issue. 
 I thought they were idling but as I've turned off the idle out option and it's still happening, this doesn't appear to be the case. With this being the only user experiencing this problem, I decided to pull the VPN Log from the client on the user side before she reconnects. IP Addresses and private information has been removed from the log: 
 -------------------------------------------------------------- 
 2022-10-05 13:14:26 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set. 2022-10-05 13:14:26 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning. 2022-10-05 13:14:26 OpenVPN 2.5.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 22 2022 2022-10-05 13:14:26 Windows version 10.0 (Windows 10 or greater) 64bit 2022-10-05 13:14:26 library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10 2022-10-05 13:14:26 MANAGEMENT: TCP Socket listening on [AF_INET]127.X.X.X:X 2022-10-05 13:14:26 Need hold release from management interface, waiting... 2022-10-05 13:14:26 MANAGEMENT: Client connected from [AF_INET]127.X.X.X:X 2022-10-05 13:14:26 MANAGEMENT: CMD 'state on' 2022-10-05 13:14:26 MANAGEMENT: CMD 'log all on' 2022-10-05 13:14:26 MANAGEMENT: CMD 'echo all on' 2022-10-05 13:14:26 MANAGEMENT: CMD 'bytecount 5' 2022-10-05 13:14:26 MANAGEMENT: CMD 'hold off' 2022-10-05 13:14:26 MANAGEMENT: CMD 'hold release' 2022-10-05 13:14:26 MANAGEMENT: CMD 'username "Auth" user' 2022-10-05 13:14:26 MANAGEMENT: CMD 'password [...]' 2022-10-05 13:14:26 TCP/UDP: Preserving recently used remote address: [AF_INET]170.X.X.X:X3 2022-10-05 13:14:26 Socket Buffers: R=[65536->65536] S=[65536->65536] 2022-10-05 13:14:26 Attempting to establish TCP connection with [AF_INET]170.X.X.X:X3 [nonblock] 2022-10-05 13:14:26 MANAGEMENT: >STATE:1664993666,TCP_CONNECT,,,,,, 2022-10-05 13:14:26 TCP connection established with [AF_INET]170.X.X.X:X3 2022-10-05 13:14:26 TCP_CLIENT link local: (not bound) 2022-10-05 13:14:26 TCP_CLIENT link remote: [AF_INET]170.X.X.X:X3 2022-10-05 13:14:26 MANAGEMENT: >STATE:1664993666,WAIT,,,,,, 2022-10-05 13:14:26 MANAGEMENT: >STATE:1664993666,AUTH,,,,,, 2022-10-05 13:14:26 TLS: Initial packet from [AF_INET]170.X.X.X:X3, sid=14b3d5d9 c675320f 2022-10-05 13:14:26 VERIFY OK: depth=1, C=US, ST=IN, L=City, O=Office Name, OU=OU, CN=Sophos_CA_C1XXXXXXXXXXXXX, emailAddress=email@mail.com 2022-10-05 13:14:26 VERIFY X509NAME OK: C=US, ST=IN, L=City, O=Office Name, OU=OU, CN=SophosApplianceCertificate_C1XXXXXXXXXXXXX, emailAddress=email@mail.com 2022-10-05 13:14:26 VERIFY OK: depth=0, C=US, ST=IN, L=City, O=Office Name, OU=OU, CN=SophosApplianceCertificate_C1XXXXXXXXXXXXX, emailAddress=email@mail.com 2022-10-05 13:14:27 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256 2022-10-05 13:14:27 [SophosApplianceCertificate_C1XXXXXXXXXXXXX] Peer Connection Initiated with [AF_INET]170.X.X.X:X3 2022-10-05 13:14:28 MANAGEMENT: >STATE:1664993668,GET_CONFIG,,,,,, 2022-10-05 13:14:28 SENT CONTROL [SophosApplianceCertificate_C1XXXXXXXXXXXXX]: 'PUSH_REQUEST' (status=1) 2022-10-05 13:14:33 SENT CONTROL [SophosApplianceCertificate_C1XXXXXXXXXXXXX]: 'PUSH_REQUEST' (status=1) 2022-10-05 13:14:33 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.X.X.X.X,sndbuf 0,rcvbuf 0,ping 45,ping-restart 180,route 20.X.X.X 255.X.X.X.X,topology subnet,route remote_host 255.X.X.X.X net_gateway,inactive 900 7680,dhcp-option DNS 200.X.X.X.X,dhcp-option DOMAIN domain.com,ifconfig 10.X.X.X.X 255.X.X.X.X,peer-id 0,cipher AES-256-GCM' 2022-10-05 13:14:33 OPTIONS IMPORT: timers and/or timeouts modified 2022-10-05 13:14:33 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified 2022-10-05 13:14:33 Socket Buffers: R=[65536->65536] S=[65536->65536] 2022-10-05 13:14:33 OPTIONS IMPORT: --ifconfig/up options modified 2022-10-05 13:14:33 OPTIONS IMPORT: route options modified 2022-10-05 13:14:33 OPTIONS IMPORT: route-related options modified 2022-10-05 13:14:33 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 2022-10-05 13:14:33 OPTIONS IMPORT: peer-id set 2022-10-05 13:14:33 OPTIONS IMPORT: adjusting link_mtu to 1627 2022-10-05 13:14:33 OPTIONS IMPORT: data channel crypto options modified 2022-10-05 13:14:33 Data Channel: using negotiated cipher 'AES-256-GCM' 2022-10-05 13:14:33 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2022-10-05 13:14:33 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2022-10-05 13:14:33 interactive service msg_channel=656 2022-10-05 13:14:33 open_tun 2022-10-05 13:14:33 tap-windows6 device [Ethernet 2] opened 2022-10-05 13:14:33 TAP-Windows Driver Version 1.0 2022-10-05 13:14:33 Set TAP-Windows TUN subnet mode network/local/netmask = 10.X.X.X.X/10.X.X.X.X/255.X.X.X.X [SUCCEEDED] 2022-10-05 13:14:33 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.X.X.X.X/255.X.X.X.X on interface {CAD1A837-EEA1-459E-9F70-E04DF8EA9D90} [DHCP-serv: 10.X.X.X.X, lease-time: 31536000] 2022-10-05 13:14:33 Successful ARP Flush on interface [8] {CAD1A837-EEA1-459E-9F70-E04DF8EA9D90} 2022-10-05 13:14:33 MANAGEMENT: >STATE:1664993673,ASSIGN_IP,,10.X.X.X.X,,,, 2022-10-05 13:14:33 IPv4 MTU set to 1500 on interface 8 using service 2022-10-05 13:14:37 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up 2022-10-05 13:14:37 MANAGEMENT: >STATE:1664993677,ADD_ROUTES,,,,,, 2022-10-05 13:14:37 C:\WINDOWS\system32\route.exe ADD 170.X.X.X.X MASK 255.X.X.X.X 192.X.X.X.X 2022-10-05 13:14:37 Route addition via service succeeded 2022-10-05 13:14:37 C:\WINDOWS\system32\route.exe ADD 20.X.X.X MASK 255.X.X.X.X 10.X.X.X.X 2022-10-05 13:14:37 Route addition via service succeeded 2022-10-05 13:14:37 C:\WINDOWS\system32\route.exe ADD 170.X.X.X.X MASK 255.X.X.X.X 192.X.X.X.X 2022-10-05 13:14:37 ROUTE: route addition failed using service: The object already exists. [status=5010 if_index=14] 2022-10-05 13:14:37 Route addition via service failed 2022-10-05 13:14:37 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 2022-10-05 13:14:37 Initialization Sequence Completed 2022-10-05 13:14:37 MANAGEMENT: >STATE:1664993677,CONNECTED,SUCCESS,10.X.X.X.X,170.X.X.X.X,PORT,192.X.X.X.X,49571 2022-10-05 13:26:24 C:\WINDOWS\system32\route.exe DELETE 170.X.X.X.X MASK 255.X.X.X.X 192.X.X.X.X 2022-10-05 13:26:24 Route deletion via service succeeded 2022-10-05 13:26:24 C:\WINDOWS\system32\route.exe DELETE 20.X.X.X MASK 255.X.X.X.X 10.X.X.X.X 2022-10-05 13:26:24 Route deletion via service succeeded 2022-10-05 13:26:24 Closing TUN/TAP interface 2022-10-05 13:26:36 TAP: DHCP address released 2022-10-05 13:26:36 SIGTERM[hard,] received, process exiting 2022-10-05 13:26:36 MANAGEMENT: >STATE:1664994396,EXITING,SIGTERM,,,,, 2022-10-05 13:27:14 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set. 2022-10-05 13:27:14 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning. 2022-10-05 13:27:14 OpenVPN 2.5.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 22 2022 2022-10-05 13:27:14 Windows version 10.0 (Windows 10 or greater) 64bit 2022-10-05 13:27:14 library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10 2022-10-05 13:27:14 MANAGEMENT: TCP Socket listening on [AF_INET]127.X.X.X:X 2022-10-05 13:27:14 Need hold release from management interface, waiting... 2022-10-05 13:27:14 MANAGEMENT: Client connected from [AF_INET]127.X.X.X:X 2022-10-05 13:27:14 MANAGEMENT: CMD 'state on' 2022-10-05 13:27:14 MANAGEMENT: CMD 'log all on' 2022-10-05 13:27:14 MANAGEMENT: CMD 'echo all on' 2022-10-05 13:27:14 MANAGEMENT: CMD 'bytecount 5' 2022-10-05 13:27:14 MANAGEMENT: CMD 'hold off' 2022-10-05 13:27:14 MANAGEMENT: CMD 'hold release' 2022-10-05 13:27:14 MANAGEMENT: CMD 'username "Auth" user' 2022-10-05 13:27:14 MANAGEMENT: CMD 'password [...]' 2022-10-05 13:27:14 TCP/UDP: Preserving recently used remote address: [AF_INET]170.X.X.X:X3 2022-10-05 13:27:14 Socket Buffers: R=[65536->65536] S=[65536->65536] 2022-10-05 13:27:14 Attempting to establish TCP connection with [AF_INET]170.X.X.X:X3 [nonblock] 2022-10-05 13:27:14 MANAGEMENT: >STATE:1664994434,TCP_CONNECT,,,,,, 2022-10-05 13:27:14 TCP connection established with [AF_INET]170.X.X.X:X3 2022-10-05 13:27:14 TCP_CLIENT link local: (not bound) 2022-10-05 13:27:14 TCP_CLIENT link remote: [AF_INET]170.X.X.X:X3 2022-10-05 13:27:14 MANAGEMENT: >STATE:1664994434,WAIT,,,,,, 2022-10-05 13:27:14 MANAGEMENT: >STATE:1664994434,AUTH,,,,,, 2022-10-05 13:27:14 TLS: Initial packet from [AF_INET]170.X.X.X:X3, sid=b6707224 10a3f151 2022-10-05 13:27:15 VERIFY OK: depth=1, C=US, ST=IN, L=City, O=Office Name, OU=OU, CN=Sophos_CA_C1XXXXXXXXXXXXX, emailAddress=email@mail.com 2022-10-05 13:27:15 VERIFY X509NAME OK: C=US, ST=IN, L=City, O=Office Name, OU=OU, CN=SophosApplianceCertificate_C1XXXXXXXXXXXXX, emailAddress=email@mail.com 2022-10-05 13:27:15 VERIFY OK: depth=0, C=US, ST=IN, L=City, O=Office Name, OU=OU, CN=SophosApplianceCertificate_C1XXXXXXXXXXXXX, emailAddress=email@mail.com 2022-10-05 13:27:15 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256 2022-10-05 13:27:15 [SophosApplianceCertificate_C1XXXXXXXXXXXXX] Peer Connection Initiated with [AF_INET]170.X.X.X:X3 2022-10-05 13:27:16 MANAGEMENT: >STATE:1664994436,GET_CONFIG,,,,,, 2022-10-05 13:27:16 SENT CONTROL [SophosApplianceCertificate_C1XXXXXXXXXXXXX]: 'PUSH_REQUEST' (status=1) 2022-10-05 13:27:16 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.X.X.X.X,sndbuf 0,rcvbuf 0,ping 45,ping-restart 180,route 20.X.X.X 255.X.X.X.X,topology subnet,route remote_host 255.X.X.X.X net_gateway,dhcp-option DNS 200.X.X.X.X,dhcp-option DOMAIN domain.com,ifconfig 10.X.X.X.X 255.X.X.X.X,peer-id 0,cipher AES-256-GCM' 2022-10-05 13:27:16 OPTIONS IMPORT: timers and/or timeouts modified 2022-10-05 13:27:16 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified 2022-10-05 13:27:16 Socket Buffers: R=[65536->65536] S=[65536->65536] 2022-10-05 13:27:16 OPTIONS IMPORT: --ifconfig/up options modified 2022-10-05 13:27:16 OPTIONS IMPORT: route options modified 2022-10-05 13:27:16 OPTIONS IMPORT: route-related options modified 2022-10-05 13:27:16 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 2022-10-05 13:27:16 OPTIONS IMPORT: peer-id set 2022-10-05 13:27:16 OPTIONS IMPORT: adjusting link_mtu to 1627 2022-10-05 13:27:16 OPTIONS IMPORT: data channel crypto options modified 2022-10-05 13:27:16 Data Channel: using negotiated cipher 'AES-256-GCM' 2022-10-05 13:27:16 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2022-10-05 13:27:16 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2022-10-05 13:27:16 interactive service msg_channel=672 2022-10-05 13:27:16 open_tun 2022-10-05 13:27:16 tap-windows6 device [Ethernet 2] opened 2022-10-05 13:27:16 TAP-Windows Driver Version 1.0 2022-10-05 13:27:16 Set TAP-Windows TUN subnet mode network/local/netmask = 10.X.X.X.X/10.X.X.X.X/255.X.X.X.X [SUCCEEDED] 2022-10-05 13:27:16 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.X.X.X.X/255.X.X.X.X on interface {CAD1A837-EEA1-459E-9F70-E04DF8EA9D90} [DHCP-serv: 10.X.X.X.X, lease-time: 31536000] 2022-10-05 13:27:16 Successful ARP Flush on interface [8] {CAD1A837-EEA1-459E-9F70-E04DF8EA9D90} 2022-10-05 13:27:16 MANAGEMENT: >STATE:1664994436,ASSIGN_IP,,10.X.X.X.X,,,, 2022-10-05 13:27:16 IPv4 MTU set to 1500 on interface 8 using service 2022-10-05 13:27:21 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up 2022-10-05 13:27:21 MANAGEMENT: >STATE:1664994441,ADD_ROUTES,,,,,, 2022-10-05 13:27:21 C:\WINDOWS\system32\route.exe ADD 170.X.X.X.X MASK 255.X.X.X.X 192.X.X.X.X 2022-10-05 13:27:21 Route addition via service succeeded 2022-10-05 13:27:21 C:\WINDOWS\system32\route.exe ADD 20.X.X.X MASK 255.X.X.X.X 10.X.X.X.X 2022-10-05 13:27:21 Route addition via service succeeded 2022-10-05 13:27:21 C:\WINDOWS\system32\route.exe ADD 170.X.X.X.X MASK 255.X.X.X.X 192.X.X.X.X 2022-10-05 13:27:21 ROUTE: route addition failed using service: The object already exists. [status=5010 if_index=14] 2022-10-05 13:27:21 Route addition via service failed 2022-10-05 13:27:21 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 2022-10-05 13:27:21 Initialization Sequence Completed 2022-10-05 13:27:21 MANAGEMENT: >STATE:1664994441,CONNECTED,SUCCESS,10.X.X.X.X,170.X.X.X.X,PORT,192.X.X.X.X,50351 2022-10-05 14:12:09 C:\WINDOWS\system32\route.exe DELETE 170.X.X.X.X MASK 255.X.X.X.X 192.X.X.X.X 2022-10-05 14:12:09 Route deletion via service succeeded 2022-10-05 14:12:09 C:\WINDOWS\system32\route.exe DELETE 20.X.X.X MASK 255.X.X.X.X 10.X.X.X.X 2022-10-05 14:12:09 Route deletion via service succeeded 2022-10-05 14:12:09 Closing TUN/TAP interface 2022-10-05 14:12:21 TAP: DHCP address released 2022-10-05 14:12:21 SIGTERM[hard,] received, process exiting 2022-10-05 14:12:21 MANAGEMENT: >STATE:1664997141,EXITING,SIGTERM,,,,, 2022-10-05 14:12:23 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set. 2022-10-05 14:12:23 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning. 2022-10-05 14:12:23 OpenVPN 2.5.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 22 2022 2022-10-05 14:12:23 Windows version 10.0 (Windows 10 or greater) 64bit 2022-10-05 14:12:23 library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10 2022-10-05 14:12:23 MANAGEMENT: TCP Socket listening on [AF_INET]127.X.X.X:X 2022-10-05 14:12:23 Need hold release from management interface, waiting... 2022-10-05 14:12:24 MANAGEMENT: Client connected from [AF_INET]127.X.X.X:X 2022-10-05 14:12:24 MANAGEMENT: CMD 'state on' 2022-10-05 14:12:24 MANAGEMENT: CMD 'log all on' 2022-10-05 14:12:24 MANAGEMENT: CMD 'echo all on' 2022-10-05 14:12:24 MANAGEMENT: CMD 'bytecount 5' 2022-10-05 14:12:24 MANAGEMENT: CMD 'hold off' 2022-10-05 14:12:24 MANAGEMENT: CMD 'hold release' 2022-10-05 14:12:24 MANAGEMENT: CMD 'username "Auth" user' 2022-10-05 14:12:24 MANAGEMENT: CMD 'password [...]' 2022-10-05 14:12:24 TCP/UDP: Preserving recently used remote address: [AF_INET]170.X.X.X:X3 2022-10-05 14:12:24 Socket Buffers: R=[65536->65536] S=[65536->65536] 2022-10-05 14:12:24 Attempting to establish TCP connection with [AF_INET]170.X.X.X:X3 [nonblock] 2022-10-05 14:12:24 MANAGEMENT: >STATE:1664997144,TCP_CONNECT,,,,,, 2022-10-05 14:12:24 TCP connection established with [AF_INET]170.X.X.X:X3 2022-10-05 14:12:24 TCP_CLIENT link local: (not bound) 2022-10-05 14:12:24 TCP_CLIENT link remote: [AF_INET]170.X.X.X:X3 2022-10-05 14:12:24 MANAGEMENT: >STATE:1664997144,WAIT,,,,,, 2022-10-05 14:12:24 MANAGEMENT: >STATE:1664997144,AUTH,,,,,, 2022-10-05 14:12:24 TLS: Initial packet from [AF_INET]170.X.X.X:X3, sid=c9e20def b2367af7 2022-10-05 14:12:24 VERIFY OK: depth=1, C=US, ST=IN, L=City, O=Office Name, OU=OU, CN=Sophos_CA_C1XXXXXXXXXXXXX, emailAddress=email@mail.com 2022-10-05 14:12:24 VERIFY X509NAME OK: C=US, ST=IN, L=City, O=Office Name, OU=OU, CN=SophosApplianceCertificate_C1XXXXXXXXXXXXX, emailAddress=email@mail.com 2022-10-05 14:12:24 VERIFY OK: depth=0, C=US, ST=IN, L=City, O=Office Name, OU=OU, CN=SophosApplianceCertificate_C1XXXXXXXXXXXXX, emailAddress=email@mail.com 2022-10-05 14:12:24 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256 2022-10-05 14:12:24 [SophosApplianceCertificate_C1XXXXXXXXXXXXX] Peer Connection Initiated with [AF_INET]170.X.X.X:X3 2022-10-05 14:12:25 MANAGEMENT: >STATE:1664997145,GET_CONFIG,,,,,, 2022-10-05 14:12:25 SENT CONTROL [SophosApplianceCertificate_C1XXXXXXXXXXXXX]: 'PUSH_REQUEST' (status=1) 2022-10-05 14:12:25 AUTH: Received control message: AUTH_FAILED 2022-10-05 14:12:25 SIGTERM[soft,auth-failure] received, process exiting 2022-10-05 14:12:25 MANAGEMENT: >STATE:1664997145,EXITING,auth-failure,,,,, 
 ---------------------------------------------------------------------------------------- 
 Any idea what could be causing an issue like this? It's wracking my brain trying to isolate where the disconnect is coming from, and I'm almost certain it has to be something on the endusers machine - possibly with the ISP. But I'm not really sure where to check or look.