Using client vpn with Okta, session re-authenticates multiple times throughout the day

0

We are using okta to authenticate when logging into AWS's client vpn. Multiple times throughout the day, while logged in to the vpn, a pop-up with okta login will show up, and require us the enter credentials again in order to continue using the VPN.

My ovpn file already has reneg-sec 0 & keepalive, and it still doesn't help. I tried creating a new vpn endpoint, without okta, and it seems I don't get prompt for re-authentication there. I contacted okta support and they say it is 100% on aws's side, I looked everywhere and cannot find a reason as to why this is happening.

1 Answer
1

Hello,

When you mention that the issue does not surface with Okta, it looks like compatibility between Okta & Client/OS. Questions:

  1. Which OS are you using ? Can you try on MAC/Windows and confirm if it is occurring on both ?
  2. Which client are you using ? Open VPN client or AWS Client ? Also is it on the latest version ?
  3. Can you also provide me with the logs when this happens of the entire period. Need to know what happens in the background when re-authentication is needed. Also need to check the timers since AWS Client support 24 hours session before it disconnects.
  4. Log collection as per the OS: https://docs.aws.amazon.com/vpn/latest/clientvpn-user/windows-troubleshooting.html

Use the following steps to view current maximum VPN session duration. -Open the Amazon VPC console at https://console.aws.amazon.com/vpc/. -In the navigation pane, choose Client VPN Endpoints. -Select the Client VPN endpoint that you want to view. -Verify that the Summary tab is selected. -View the current maximum VPN session duration next to Session timeout hours. You can also view other details displayed under the Summary tab. -View current maximum VPN session duration for a Client VPN endpoint (AWS CLI) -Use the describe-client-vpn-endpoints command.

To modify:

  • Select the Client VPN endpoint that you want to modify, choose Actions, and then choose Modify Client VPN Endpoint.
  • For Session timeout hours, choose the desired maximum VPN session duration time in hours. Hope this is helpful
profile pictureAWS
SUPPORT ENGINEER
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions