VPN Mobile User - session requires authentication after 4 hours

I got FireboxV-SM running OS 12.10.1. All Mobile SSL VPN users need to re-authenticate after 4 hours. Is there a way I can increase this value? This is related to Active Directory user accounts.

Mobile SSL VPN - Renegotiation Data Channel is set to 480mins (8hrs) and there's no timer for AD for this as far as I can tell?

Am I missing something?


  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @vmoricky

    I suppose the first place to start here would be the traffic monitor logs on your firebox. Do you see the firebox disconnecting the session in your logs?

    If you don't see anything there, check the SSLVPN client logs (right click the SSLVPN icon, and go to view logs.

    There's a number of things that can be causing connection resets, aside from the firebox itself.

    If you need help interpreting logs, please consider opening a support case. If you decide to post them here, please ensure any public IP addresses are removed from your logs.

    -James Carson
    WatchGuard Customer Support

  • Hi @james.carson

    I can see the disconnect logs when timeout occurs. Here's log from the Firebox itself:

    2024-01-31 13:59:23 sslvpn Entering function sslvpn_client_event, event is 16777217
    2024-01-31 13:59:25 sessiond Session Timeout has occured 2706 userId=vpn_user1
    2024-01-31 13:59:25 firewall sess_event: Session event "Del" has no "UserMac" parameter
    2024-01-31 13:59:25 sslvpn Entering function sslvpn_client_event, event is 2097153
    2024-01-31 13:59:25 sslvpn Entering function sslvpn_client_event, event is 67108867
    2024-01-31 13:59:25 sslvpn Received Session Status Change event, current state:0x0
    2024-01-31 13:59:25 sslvpn Session delete event, entry->virtual_ip=virtual_ip, entry->real_ip=public_ip, dropin_mode=0
    2024-01-31 13:59:25 sslvpn sslvpn_delete_user_session, delete entry, entry->virtual_ip=virtual_ip, dropin_mode=0
    2024-01-31 13:59:25 sslvpn Mobile VPN with SSL user vpn_user1 logged off. Virtual IP address is virtual_ip.
    2024-01-31 13:59:25 wrapper Unsupported event type for infinityd daemon
    2024-01-31 13:59:25 sslvpn Disconnecting vpn session from public_ip:40854
    2024-01-31 13:59:25 sessiond failed on wgapi_status_query(): xpath=/toSessionClient/delete session 2706
    2024-01-31 13:59:25 sessiond Session deleted
    2024-01-31 13:59:25 sessiond process status xpath /toSessiond/updateActivity
    2024-01-31 13:59:25 sslvpn Receiving SIGCHLD from pid:6561, openvpn pid=2719, sslvpn_firecluster pid=2714
    2024-01-31 13:59:25 sslvpn Entered in sslvpn_takeaddr
    2024-01-31 13:59:25 sslvpn Arguments which needs to be sent:openvpn_del 7 0 1706705965
    2024-01-31 13:59:25 sslvpn Going to open wgipc:
    2024-01-31 13:59:25 sslvpn Success,Sending Data to sslvpn_firecluster:openvpn_del 7 0 1706705965
    2024-01-31 13:59:25 sslvpn receive logout command for client virtual_ip
    2024-01-31 13:59:25 sslvpn send session deletion request for client vip=virtual_ip OK
    2024-01-31 13:59:25 sessiond process status xpath /toSessiond/delete
    2024-01-31 13:59:25 sessiond NO existing session is found

    On the client side (OpenVPN client) it simply states:

    2024-01-31 13:59:26 Connection reset, restarting [-1]
    2024-01-31 13:59:26 SIGUSR1[soft,connection-reset] received, process restarting
    2024-01-31 13:59:26 MANAGEMENT: >STATE:1706531152,RECONNECTING,connection-reset,,,,,
    2024-01-31 13:59:27 Restart pause, 1 second(s)

    This is not specific to OpenVPN, happens for the Mobile SSLVPN client the same way.

    Any tips on where the session timeout might be configured?

    Thank you!

  • james.carsonjames.carson Moderator, WatchGuard Representative

    The client logs aren't really saying anything other than there was a disconnection - I'd suggest opening a support case if you haven't done so already.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.