Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 1746 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Firewall - IPSEC VPN MFA ISSUE with OTP PIN

Martin Hampl

Hi,

I have XG125 (SFOS 19.5.1 MR-1-Build278) and IPSEC Remote Access for the users with internal OTP MFA. Remote users started to report disconnecting the VPN during the day, BUT also the need for MFA PIN to be entered multiple times a day.

For example user connects at 8am and is connected until 5pm. I see no "terminated" etc issues in the logs, BUT the user needs to enter the PIN like 3x times to keep the VPN alive. Is this correct behavior? I haven't found anything regarding this in the OTP settings.

I was suspecting WAN connectivity issues, but users are reporting that the connection is still alive during the Sophos client popup request for the PIN. So my guess is that if the user misses the popup for the pin the VPN will gets disconnected.

I hope I explained this well enough.

Is anyone else experiencing similar issues?

Thanks,

Martin



This thread was automatically locked due to age.
Parents
  • +1

    This is based on the Key Lifetime. IPsec has a default key lifetime of 4 hours, which means, after rekey, you have to redo the MFA.

    You can increase the lifetime by using a new IPsec Policy in Remote Access. But you need to rollout the new policy to the users as well. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Ok, understood. What If I completely disable re-key? Meaning one key for the whole session, any serious consequences with that? Because if I set the re-key to 12hours than it's basically the same result.

  • 0 in reply to Martin Hampl

    IPsec depends on the rekey approach. You could increase the cycle, but after a while, you will come into the "Security" discussion - Which means, after what time could the system get insecure. You can eventually increase the time to 24h as well. 

    Most likely the session will not exist for longer than 8 hours (workhours). So use 12h, which should cover 1 OTP authentication per day. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Yes, that's the solution I'm preparing for deployment. Thanks for your help!

Reply Children
No Data
Unfiltered HTML