OpenVpn reconnects when session token expired

[slepage]

We have successfully setup our OpenVPN server with Auth (username / password) and DUO MFA. On the server side we enabled Tokens that are valid for 12hr so that the client can reconnect from sleep or reneg the key (reneg set to 3600).

On the server / client we are running the following relevant settings:

auth-gen-token 43200
keepalive 10 240
reneg 3600

Everything works as expected including no additional MFA push if the token is valid (good for 12hr).

The problem we have encountered is if a user leaves the client running and the device powered on, after 12hr the session expires and the VPN client automatically tries to reconnect with cached username / password (this happens weather the user has checked the save password box or not!). This causes MFA pushes as it's a re auth and not a token login which if the user ignores locks their MFA account which we have to unlock in the morning. I have looked at the docs and searched the internet but cannot find what I am missing to get the VPN client to simply disconnect and not try to re connect when the token (session) has expired.

Here is an excerpt when the client tries to reconnect, at the start you can see it tries to use the token which is expired, then switches to user/password (which is where we start to get MFA pushes) and goes on trying almost infinitely.

[Oct 3, 2023, 22:53:41] Connecting to [CENTUSO.COMPANY.COM]:XXXX (XXX.XX.XXX.XXX) via UDPv4
⏎[Oct 3, 2023, 22:53:41] EVENT: CONNECTING ⏎[Oct 3, 2023, 22:53:41] Tunnel Options:V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client
⏎[Oct 3, 2023, 22:53:41] Creds: Username/SessionID
⏎[Oct 3, 2023, 22:53:41] Peer Info:
IV_VER=3.git::d3f8b18b
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
IV_GUI_VER=OCWindows_3.3.6-2752
IV_SSO=webauth,openurl,crtext

⏎[Oct 3, 2023, 22:53:41] SSL Handshake: peer certificate: CN=CENTUSO.COMPANY.COM, 2048 bit RSA, cipher: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD

⏎[Oct 3, 2023, 22:53:41] Session is ACTIVE
⏎[Oct 3, 2023, 22:53:41] EVENT: GET_CONFIG ⏎[Oct 3, 2023, 22:53:41] Sending PUSH_REQUEST to server...
⏎[Oct 3, 2023, 22:53:41] SESSION_AUTH_FAILED
⏎[Oct 3, 2023, 22:53:41] Client terminated, restarting in 2000 ms...
⏎[Oct 3, 2023, 22:53:43] EVENT: RECONNECTING ⏎[Oct 3, 2023, 22:53:43] EVENT: RESOLVE ⏎[Oct 3, 2023, 22:53:43] Contacting XXX.XX.XXX.XXX:XXXX via UDP
⏎[Oct 3, 2023, 22:53:43] EVENT: WAIT ⏎[Oct 3, 2023, 22:53:43] WinCommandAgent: transmitting bypass route to XXX.XX.XXX.XXX
{
"host" : "XXX.XX.XXX.XXX",
"ipv6" : false
}

⏎[Oct 3, 2023, 22:53:43] Connecting to [CENTUSO.COMPANY.COM]:XXXX (XXX.XX.XXX.XXX) via UDPv4
⏎[Oct 3, 2023, 22:53:43] EVENT: CONNECTING ⏎[Oct 3, 2023, 22:53:43] Tunnel Options:V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client
⏎[Oct 3, 2023, 22:53:43] Creds: Username/Password
⏎[Oct 3, 2023, 22:53:43] Peer Info:
IV_VER=3.git::d3f8b18b
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
IV_GUI_VER=OCWindows_3.3.6-2752
IV_SSO=webauth,openurl,crtext

⏎[Oct 3, 2023, 22:54:23] Session invalidated: KEEPALIVE_TIMEOUT
⏎[Oct 3, 2023, 22:54:23] Client terminated, restarting in 2000 ms...
⏎[Oct 3, 2023, 22:54:25] EVENT: RECONNECTING ⏎[Oct 3, 2023, 22:54:25] EVENT: RESOLVE ⏎[Oct 3, 2023, 22:54:25] Contacting XXX.XX.XXX.XXX:XXXX via UDP
⏎[Oct 3, 2023, 22:54:25] EVENT: WAIT ⏎[Oct 3, 2023, 22:54:25] WinCommandAgent: transmitting bypass route to XXX.XX.XXX.XXX
{
"host" : "XXX.XXX.XXX.XXX",
"ipv6" : false
}

[davide@wpweb.com]

Hello,
here some problem.
Did you solve it?