VPN: Site to Site and Remote Access SSL VPN Timeout

UTM Firewall requires membership for participation - click to join

Thread Info

State Suggested Answer
Locked Locked
Replies 6 replies
Answers 1 answer
Subscribers 4 subscribers
Views 18473 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Timeout

JayMan over 7 years ago

By default what is the time out for a SSL VPN connection. Ours seems to kick people off at the 8 hour mark right now.

We have both 1FA and 2FA users, i thought it was just the 2FA users because the passwords had expired but the 1FA users say the same thing happens.

This thread was automatically locked due to age.

Parents

0 BAlfson over 7 years ago

I'm not familiar with this phenomenon, JayMan. What do you see in the SSL VPN log when this happens?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 JayMan over 7 years ago in reply to BAlfson

I realized what was going on. We use 2FA and every time it was going the Key lifetime resync it would see that the 2fa password was no longer valid and boot the person off the VPN. THis doesn't happen with the 1fa logins.
Cancel
Vote Up 0 Vote Down

Cancel
0 KevinZ over 6 years ago in reply to JayMan

Is this something that can be adjusted on the 2FA logins so that it doesn't time out?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 6 years ago in reply to JayMan

Interesting - does the same thing happen with L2TP/IPsec?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 6 years ago in reply to JayMan

Interesting - does the same thing happen with L2TP/IPsec?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 KevinZ over 6 years ago in reply to BAlfson

I don't have any client VPNs that use L2TP/IPsec. I believe JayMan is correct and it's the key lifetime. I found under remote access > ssl > advanced under cryptographic settings key lifetime i have key lifetime as 28800 seconds. When it tries to renegotiate, the 2FA fails and the connection drops. Unfortunately the UTM won't allow this to be set to 0 so I'll have to try the largest setting of 86400.

I note that in my client setting configuration it contains "reneg-sec 0" but looks like 28800 from the server wins.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 6 years ago in reply to KevinZ

I just confirmed with cc that that's the default setting for clients, Kevin. Also, OpenVPN docs confirm that only one side can have the 0 setting - the other sets the lifetime. With 1FA, the key is renegotiated with the credentials cached by the client. The credentials for the OTP are not cached by the client, but I don't think there's a mechanism for the server side in the UTM to process the second factor automatically, either. The only solution, again, according to comments in the OpenVPN forum, is the one you guys have found.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel