This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN users with OTP disconnecting about the same time each day.

Just recently I enabled OTP for some VPN users.  Today I was informed by 3 people they loose connection to the VPN about the same time.  When looking at the logs there's a slew of entries about TLS keys out of sync.  What makes it odd is my VPN has never disconnected and I'm using OTP as well.  There's also 2 others that haven't mentioned any issues.

Doing a search for the past 7 days one user is showing the same issue on 4/23.  Then another it started yesterday and the last one started today.  

It has to be related to OTP since the 20+ others on the VPN haven't experienced this problem.



This thread was automatically locked due to age.
  • Most likely it's caused by the key lifetime which default to 8 hours (28800 seconds). Whenever the connection is up for this time, the encryption key needs to be renegotiated but by that time the OTP is not valid anymore and the VPN is disconnected.

    You could increase this number by a little bit so the problem is less likely to come up. However note that by increasing this time, you also increase the time hackers get to capture packets and try to gain access. Therefore you need to think if you want to increase and if so, just increase it as little as possible. You could increase it to 36000 seconds (10 hours). It's not a too big increase in time and it will most likely be long enough that most users don't notice it anymore (unless they need to be connected even longer).

    You can find the setting at Remote Access -> SSL -> Advanced -> Key lifetime.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • I had a feeling it might be that and since we are using OTP it can't reconnect to get the new key.  Good catch.