Using client vpn with Okta, session re-authenticates multiple times throughout the day
We are using okta to authenticate when logging into AWS's client vpn. Multiple times throughout the day, while logged in to the vpn, a pop-up with okta login will show up, and require us the enter credentials again in order to continue using the VPN.
My ovpn file already has reneg-sec 0 & keepalive, and it still doesn't help. I tried creating a new vpn endpoint, without okta, and it seems I don't get prompt for re-authentication there. I contacted okta support and they say it is 100% on aws's side, I looked everywhere and cannot find a reason as to why this is happening.
When you mention that the issue does not surface with Okta, it looks like compatibility between Okta & Client/OS. Questions:
- Which OS are you using ? Can you try on MAC/Windows and confirm if it is occurring on both ?
- Which client are you using ? Open VPN client or AWS Client ? Also is it on the latest version ?
- Can you also provide me with the logs when this happens of the entire period. Need to know what happens in the background when re-authentication is needed. Also need to check the timers since AWS Client support 24 hours session before it disconnects.
- Log collection as per the OS: https://docs.aws.amazon.com/vpn/latest/clientvpn-user/windows-troubleshooting.html
Use the following steps to view current maximum VPN session duration. -Open the Amazon VPC console at https://console.aws.amazon.com/vpc/. -In the navigation pane, choose Client VPN Endpoints. -Select the Client VPN endpoint that you want to view. -Verify that the Summary tab is selected. -View the current maximum VPN session duration next to Session timeout hours. You can also view other details displayed under the Summary tab. -View current maximum VPN session duration for a Client VPN endpoint (AWS CLI) -Use the describe-client-vpn-endpoints command.
- Select the Client VPN endpoint that you want to modify, choose Actions, and then choose Modify Client VPN Endpoint.
- For Session timeout hours, choose the desired maximum VPN session duration time in hours. Hope this is helpful
AWS VPN Client on macOS - DNS not resolvingasked 3 months ago
AWS Client VPN - Notification of new client connection to another AWS service (e.g. Lambda)?Accepted Answerasked 10 days ago
AWS SSO with GSuite external identify with AWS VPN Client Endpointasked a year ago
Using client vpn with Okta, session re-authenticates multiple times throughout the dayasked 2 months ago
Connecting a Linux box to AWS-VPN using OKTA Authentication/Authorizationasked 2 years ago
AWS Client VPN CertsAccepted Answerasked 3 years ago
can I prevent Client VPN from setting the hostname on the client machine?Accepted Answerasked a year ago
AWS Client VPN unable to set Authorization Route with Group ID using OktaAccepted Answerasked 4 months ago
What Username do AWS VPN Client need when using password-encrypted private key certificate?asked 2 months ago
Constant ERR_SIG_TIMEOUT using the web client on Linux and Windowsasked 2 years ago