SSL VPN Users show as Active multiple times and we run out of licenses
We have a 40 user license for SSL VPN. It works great except there are two users -- always the same two -- who, for some reason, show as Actively connected multiple times, thus chewing up licenses and denying other users access with a "Maximum SSL VPN licenses is reached." In the graphic below, the blacked-out entries are all the same user from his laptop. He actually had 12 simultaneous connections.
SonicAdmin80 Cybersecurity Overlord ✭✭✭
This can happen if the end user has a poor network connection that keeps dropping and the renegotiation doesn't work as expected, so it opens up a completely new connection. The old sessions stay in the active connection list using a license until the set idle timeout runs out.
This can be avoided by setting "Enforce login uniqueness" under users->settings. Then set "Inactivity Timeout" under SSL-VPN settings to a shorter time, to 30 minutes for example, after which the idle stale connections are cleaned out. Expect some calls from the affected users about "I can't login to the VPN and it gives this error message...". They have to wait the timeout period after an unclean disconnection. The end users' connectivity has some issues if this keeps happening regularly.
SMA devices handle this a bit better, where the new connection replaces the old one automatically, but this isn't available in the firewall appliances. They have to have some selling point for the SMA. 😁1
Does it happen when the same user logs in from a different device? Have you re-installed NetExtender? What firmware version are you running? You haven't given us anything to work with...
Each user has one device - a laptop (one is a Surface Book running Windows 10, the other is a Dell running Windows 10).
I have not tried logging is as the users from a different device.
I have re-installed NetExtender on one of the devices.
While "Enforce login uniqueness" is a good option, but it cannot be used in an environment where SSO is used. The firewall will deny any new "logins" if the user was recently identified as logged in from another device (e.g. remote user logs in via SSLVPN (first login), then RDPs to a local resource using the same credentials (second login), or vice versa).
Good point, I'm not using SSO in any environment currently. If login uniqueness can't be used I guess the only option is to fix the end user network stability, or move to a SMA or another VPN solution.
Thank you, TKWITS and SONICADMIN80, for your very good information. I will try your suggestions right away.