Resolve Sophos Firewall IPsec Remote Access Timeout After 4 Hours
If Sophos Connect with IPsec Remote Access disconnects after approximately four hours or users need to re-enter an OTP, the cause is often not the client itself. In many environments, this behaviour is related to the IKE lifetime in the IPsec profile being used. During re-keying or re-authentication, the client may trigger a new login.
This article explains how to assess the behaviour, which logs are relevant, and how to adjust the value properly through a custom IPsec profile. For the basic configuration of Sophos Connect, start with Configure Sophos Connect on Sophos Firewall. For deciding between IPsec, SSL VPN, mobile clients, and ZTNA, Sophos Connect or SSL VPN: Which Remote Access Solution Fits? is a better starting point.
⚠️ Important: Not every disconnection after a few hours is automatically a key-life issue. First, check if the current IPsec Remote Access, the
DefaultRemoteAccessprofile or a derived profile, OTP/MFA, and relevant VPN logs are involved.
Typical Error Pattern
This issue usually arises in helpdesk or operational cases:
- Sophos Connect regularly disconnects after about four hours.
- Users must confirm OTP or MFA again after disconnection.
- The connection is stable beforehand and works again after re-login.
- Other VPN profiles or SSL VPN connections do not show this behaviour.
- The VPN log shows entries related to IKE, SPI, or re-keying.
If the connection randomly drops, only fails in certain networks, or does not transport traffic immediately after establishment, general IPsec VPN Troubleshooting is more appropriate.
First Exclude Legacy Remote Access IPsec
Especially in older environments, it should first be clarified which IPsec remote access variant is in use. This article addresses the current remote access IPsec configuration with Sophos Connect and IPsec profiles. It is not the right starting point if Legacy Remote Access IPsec is still present or an upgrade to SFOS 22.0 MR1 is blocked.
Practical classification:
- Connection disconnects after a similar duration, then reconnects: continue using this article.
- Upgrade to SFOS 22.0 MR1 or newer is blocked due to Legacy IPsec: Migrate Legacy Remote Access IPsec before SFOS 22 MR1
- Tunnel is connected, but internal targets are unreachable: Sophos Firewall IPsec VPN Troubleshooting
- Users should switch from IPsec to SSL VPN, ZTNA, or another model: Sophos Connect or SSL VPN: Which Remote Access Solution Fits?
This distinction is important because key-life tuning does not replace a migration concept. If an old legacy configuration is still on the firewall, it should be properly documented, replaced, and removed before a major firmware upgrade.
Why the Timeout Occurs
Sophos Connect uses an IPsec profile for IPsec Remote Access. In many environments, this is based on DefaultRemoteAccess. The lifetime of the IKE Security Association is defined there. When this lifetime is reached, the connection must be renegotiated. Depending on the authentication method and client behaviour, a new OTP entry may be required.
The commonly mentioned technical value is ikekeylife. A value of 18000 seconds corresponds to five hours. In practice, the new negotiation may become visible earlier, which is why users often speak of about four hours.
The professional decision is important: A longer value reduces re-authentications but also extends the lifetime of the IKE-SA. This is an operational and security decision, not just a comfort switch.
Check Logs
In the Log Viewer or VPN logs, messages about invalid SPI values may appear. Such entries can indicate that an old or expired IKE phase 1 session is being addressed.
Example:
VPN 2023-12-12 06:33:48 IPSec Deny Received IKE message with invalid SPI (421B67D8) from the remote gateway. 18050
VPN 2022-12-12 06:33:47 IPSec Deny Received IKE message with invalid SPI (13B56627) from the remote gateway.18050
VPN 2022-12-12 06:33:46 IPSec Deny Received IKE message with invalid SPI (EDA41714) from the remote gateway.18050
Such entries alone do not yet prove the complete cause. Time stamps, affected users, Sophos Connect status, authentication method, and profile changes should be considered together. For recurring VPN issues, additionally Secure Sophos Firewall Logs for Support and Analysis and Sophos Firewall Troubleshooting: Services and Logs can help.
Adjust IPsec Profile via the GUI
The cleaner method is not to work directly on the standard profile but to clone the profile and consciously use the new value for remote access.
The menu path is:
Configure > VPN > IPsec profiles
Procedure:
- Open the existing
DefaultRemoteAccessprofile. - Clone the profile.
- Name the new profile clearly, for example,
RemoteAccess_OTP_10h. - Set
Key lifeor IKE lifetime to the desired value. - Save.
- Select the new profile in the IPsec Remote Access settings.
- Re-export or distribute the Sophos Connect configuration.
- Test with pilot users.


After the change, it is not enough to just save the firewall. The affected Sophos Connect profiles must be redistributed or re-imported. For client operation and versions, see Check and Securely Update Sophos Connect Client Version. For Windows installations, see Install Sophos Connect Client on Windows, for macOS Install Sophos Connect Client on macOS.
Calculate Value for Longer OTP Intervals
If users should re-enter OTP approximately every n hours, the following rule of thumb is often used:
ikekeylife = (n + 1) * 3600
Example for about ten hours:
ikekeylife = (10 + 1) * 3600
ikekeylife = 39600
The value should not simply be set to the maximum. In productive environments, first clarify:
- What is the maximum session duration acceptable from a security perspective?
- Does the value fit working hours, shift operations, and helpdesk processes?
- Is OTP, RADIUS-MFA, Entra ID SSO, or another authentication used?
- Are there compliance requirements for re-authentication?
- Does reconnect work reliably with the current Sophos Connect client?
For MFA basics on the firewall, see Enable MFA for Sophos Firewall WebAdmin, VPN Portal, and Remote Access. If Microsoft Entra ID SSO is in use, also consider Set Up Microsoft Entra ID SSO for Sophos Connect and VPN Portal.
Why Direct Database Changes Are Not Recommended
Older runbooks sometimes include direct changes in the Advanced Shell or SQL commands against the firewall database. This is not recommended for normal operations.
Reasons:
- The intervention bypasses normal WebAdmin validation.
- Incorrect values can disrupt VPN profiles or remote access.
- Changes are less traceable.
- In support cases, a clean GUI change is easier to explain.
- Internal behaviour may change after updates.
Therefore, the value should be set via a custom IPsec profile in WebAdmin. Direct database changes should only be in a clear Sophos support context and not in a normal admin guide.
Test the Change
After the adjustment, a small test with pilot users should be conducted.
Checkpoints:
- New profile is selected in Remote Access IPsec.
- Sophos Connect configuration has been re-imported.
- Connection establishes successfully.
- Internal targets are reachable.
- DNS, routing, and firewall rules work.
- Reconnect after the expected period behaves as planned.
- VPN logs show no unexpected errors.
If the connection is established but no traffic flows, the issue is more likely with routes, firewall rules, NAT, or DNS. Then Test Firewall Rule with Log Viewer, Policy Test, and Packet Capture can help.
Common Mistakes
- Standard profile changed directly: Other remote access scenarios may be unintentionally affected Clone profile and assign specifically.
- Client profile not redistributed: Users continue to use old settings Re-export and import Sophos Connect configuration.
- Too long key-life value: Less re-authentication but longer session Evaluate security and operational requirements together.
- Only client reinstalled: Firewall profile remains unchanged Check firewall profile and client configuration together.
- Logs not checked: Wrong cause assumed Compare timestamps, users, SPI/IKE logs, and MFA behaviour.
- Database changed directly: Risk of support and configuration issues Use GUI profile.
Operational Checklist
- Record affected users and times.
- Check if IPsec Remote Access with Sophos Connect is used.
- Check VPN logs for IKE, SPI, and re-keying indications.
- Identify the IPsec profile used.
- Clone
DefaultRemoteAccessinstead of changing directly. - Professionally determine target value for IKE Key Life.
- Assign new profile in Remote Access IPsec.
- Redistribute client configuration.
- Test with pilot users and inform helpdesk.
- Check after a few days if fewer OTP reconnect cases occur.