topic Re: Remote VPN to disconnect after 15 minutes in SASE and Remote Access

Remote VPN to disconnect after 15 minutes

Ob1lan — Thu, 23 Sep 2021 09:00:30 GMT

Hi,

We have this new requirement from the management : we need our VPN clients to disconnect after 15 minutes of inactivity. We have both Windows and MacOS clients, using the standalone VPN clients.

I search and found some sk106952, explaining that we could edit the $FWDIR/conf/trac_client_1.ttm file. However, the values I find on the files from my gateways are different from those explained in the SK and other documentation (sk75221).

What I have in my file:

:neo_disconnect_when_idle ( :gateway (endpoint_vpn_disconnect_when_idle :default (client_decide) ) ) :neo_disconnect_when_idle_timeout ( :gateway (endpoint_vpn_disconnect_when_idle_timeout :default (client_decide) ) )

So, which value shall I edit to make our management happy ? 🙂

Thanks in advance.

Regards.

Re: Remote VPN to disconnect after 15 minutes

G_W_Albrecht — Thu, 23 Sep 2021 12:11:12 GMT

This is for Endpoint Connect Version R71, R73 only - For higher versions refer to: sk75221 - Remote Access TTM Configuration

I would suggest to open a TAC ticket...

Re: Remote VPN to disconnect after 15 minutes

Ob1lan — Thu, 23 Sep 2021 12:17:17 GMT

Hi, thanks. That's the SK I refer too in my OP, but this doesn't contain the entries I have in my file, namely

neo_disconnect_when_idle and neo_disconnect_when_idle_timeout

If possible I'd like to avoid going for a TAC, as it takes an awful lot of time for us to do so (we have to go first with our partner, and have them create a TAC for us).

Thanks

Re: Remote VPN to disconnect after 15 minutes

G_W_Albrecht — Thu, 23 Sep 2021 12:34:16 GMT

Opening a TAC case thru a CCSP takes around 20 minutes !

Re: Remote VPN to disconnect after 15 minutes

Ob1lan — Thu, 23 Sep 2021 12:36:03 GMT

🙂 As I said, I'm not entitled to do that, we have to go through our partner/reseller, as the account is under their management, not ours.

Re: Remote VPN to disconnect after 15 minutes

the_rock — Thu, 23 Sep 2021 12:48:32 GMT

There is super easy solution to this, no need for TAC case brother : ). Just follow below link and look for section I pasted. I had 4 customers do this, never a problem. Dont even bother touching trac_client_1.ttm file, no need at all, just leave it as is.

https://dl3.checkpoint.com/paid/81/814f1e719db5a506a2fdd052dcc0eab9/CP_E80.50_RemoteAccessClients_forWin_AdminGuide.pdf?HashKey=1632408252_5017b7ce0847afcd053204202badc735&xtn=.pdf

To configure tunnel idleness:
1. Connect to the Security Management Server with GuiDBedit.
2. Open the Global Properties > properties > firewall_properties object.
3. Find disconnect_on_idle and these parameters:
 do_not_check_idleness_on_icmp_packets
 do_not_check_idleness_on_these_services - Enter the port numbers for the services that
you want to ignore when idleness is checked.
 enable_disconnect_on_idle - to enable the feature
 idle_timeout_in_minutes
4. Save and install the policy.

Re: Remote VPN to disconnect after 15 minutes

Ob1lan — Thu, 23 Sep 2021 20:07:16 GMT

Hi @the_rock , thanks a lot for your answer ! I'm going to test that tonight !

What would you recommend for those parameters ?

 do_not_check_idleness_on_icmp_packets
 do_not_check_idleness_on_these_services - Enter the port numbers for the services that
you want to ignore when idleness is checked.

Thanks a lot !

Re: Remote VPN to disconnect after 15 minutes

the_rock — Thu, 23 Sep 2021 20:18:50 GMT

I never touched those...just leave them as is, though if user is tech savvy enough, they can just run continuous ping to google dns and keep the tunnel up for as long as its set in global properties. Just make sure you set to try where it says enable_disconnect_on_idle and then set minutes, push policy and thats it.

Keep us posted.

Andy

Re: Remote VPN to disconnect after 15 minutes

Ob1lan — Thu, 23 Sep 2021 21:28:29 GMT

So I've tested it, but after 30 minutes the client is still connected. In the FW logs I see usual traffic like DNS, AD, NTP, Kerberos, etc... This happened while the laptop had no use activity, no browser open, no Slack, Teams, everything closed but the VPN client...

So shall I fine-tune something ? Or is there an easiest solution to achieve my goal ?

Thanks.

Re: Remote VPN to disconnect after 15 minutes

the_rock — Thu, 23 Sep 2021 21:33:21 GMT

Not 100% sure, but I never had to change anything to make this work. I will say though it was a bit flaky with 2 customers for the first 1-2 weeks, but after that it worked fine. Can you send screenshot of changes you made in guidbedit?

Andy

Re: Remote VPN to disconnect after 15 minutes

Ob1lan — Thu, 23 Sep 2021 21:37:18 GMT

Thanks, will keep testing. Here are the settings:

Re: Remote VPN to disconnect after 15 minutes

the_rock — Thu, 23 Sep 2021 21:38:48 GMT

That looks right. As long as you installed policy after this, thats all you really need.

Re: Remote VPN to disconnect after 15 minutes

Ob1lan — Thu, 23 Sep 2021 21:45:43 GMT

Yup, installed on both our VPN gateways. Let's hope this will end-up working.

Thanks anyway 🙂

Regards

Re: Remote VPN to disconnect after 15 minutes

the_rock — Thu, 23 Sep 2021 21:47:13 GMT

Im positive it will...sadly, as you probably know, some things need time and this is one of them : - )