Feature Request: RDP / VPN Idle Timeout based on utilization

Hey Folks,

Right now we have Idle Timeouts on VPN and RDP connections, but the 'idle' portion seems very black & white. If the system is doing standard overhead over the connection, the link is not considered idle and will not time out, even if the connecting person is just drinking coffee all day.

While that is great for a few hours or so, some kind of limiter we can set would be great. For example, if the connection doesn't show a certain % of utilization for a period of time, it is then considered Idle. So, two hours of just routine overhead and it shuts down, for example.

Thanks for listening, and if anyone has a solution to help emulate this, then please let me know!



  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Bear_W

    What VPN are you using when this occurs?

    For mobile VPN, modern client computers are usually very chatty and send traffic over the VPN quite a bit.

    For site to site VPNs, the firewall will idle an unused connection with it up until the tunnel expiration time, and then drop it. If the default of 8 hours is too long, I'd suggest reducing it. Keep in mind that this will trigger a tunnel rekey, which can cause hiccups in sensitive applications like VoIP or RDP.

    -James Carson
    WatchGuard Customer Support

  • I would agree with Bear_w that this would be a very good (not to tell an important) feature to shut down open VPN tunnels after a specified period of time and to request a new login to the tunnel.

    We have the problem that users open VPN connections to the company and just forget to shutdown/close those connections when going elsewhere and leave their computers powered on and active. This is often the case in a mobile working szenario. So VPN keeps active, and nobody cares about who is using the VPN tunnel on the client device's side.

    Don't know if this can be handled over a utilization rate, but there should be the option to hard close a connection after a period of time, even it is 12 hours.


  • To clarify: for client VPN tunnels, such as SSLVPN, there should be a session timeout to shut down open tunnels after the specified elapsed time.

    Note that for Mobile SSLVPN with "Automatically reconnect" enabled on the client, it would effectively prevent the above (a need to manually re-initiate the tunnel), so there would need to be some sort of option in the SSLVPN setup to address this.

  • james.carsonjames.carson Moderator, WatchGuard Representative


    Do you have auto-reconnect on disconnect enabled? If the firebox pushes a disconnect, the client will simply attempt to reconnect on that connection loss, and you'll get stuck in an endless loop of being logged in. There's a feature request that covers controlling this, it is FBX-19644.

    Controlling an idle timeout has a bug ID, it's FBX-11376.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.