diff --git a/testing/internal/e2e/tests/base/target_tcp_connect_session_max_seconds_test.go b/testing/internal/e2e/tests/base/target_tcp_connect_session_max_seconds_test.go
index 7e4e9872ce..dfc266f375 100644
--- a/testing/internal/e2e/tests/base/target_tcp_connect_session_max_seconds_test.go
+++ b/testing/internal/e2e/tests/base/target_tcp_connect_session_max_seconds_test.go
@@ -15,10 +15,10 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-// TestCliTcpTargetConnectTargetWithSessionMaxSeconds connects to a target that
-// has session max seconds defined. An error should return when trying to
-// connect to the target after the time limit has been reached.
-func TestCliTcpTargetConnectTargetWithSessionMaxSeconds(t *testing.T) {
+// TestCliTcpTargetConnectTargetWithSessionMaxSecondsTearDown connects to a
+// target that has session max seconds defined and executes a long-running
+// script. The session should end once the time limit has reached.
+func TestCliTcpTargetConnectTargetWithSessionMaxSecondsTearDown(t *testing.T) {
 	e2e.MaybeSkipTest(t)
 	c, err := loadTestConfig()
 	require.NoError(t, err)
@@ -81,3 +81,79 @@ func TestCliTcpTargetConnectTargetWithSessionMaxSeconds(t *testing.T) {
 		t.Fatal("Timed out waiting for session command to exit")
 	}
 }
+
+// TestCliTcpTargetConnectTargetWithSessionMaxSecondsRejectNew connects to a
+// target that has session max seconds defined. An error should return when
+// trying to connect to the target after the time limit has been reached.
+func TestCliTcpTargetConnectTargetWithSessionMaxSecondsRejectNew(t *testing.T) {
+	e2e.MaybeSkipTest(t)
+	c, err := loadTestConfig()
+	require.NoError(t, err)
+
+	ctx := context.Background()
+	boundary.AuthenticateAdminCli(t, ctx)
+	newOrgId := boundary.CreateNewOrgCli(t, ctx)
+	t.Cleanup(func() {
+		ctx := context.Background()
+		boundary.AuthenticateAdminCli(t, ctx)
+		output := e2e.RunCommand(ctx, "boundary", e2e.WithArgs("scopes", "delete", "-id", newOrgId))
+		require.NoError(t, output.Err, string(output.Stderr))
+	})
+	newProjectId := boundary.CreateNewProjectCli(t, ctx, newOrgId)
+	sessionMaxSeconds := 7
+	newTargetId := boundary.CreateNewTargetCli(
+		t,
+		ctx,
+		newProjectId,
+		c.TargetPort,
+		target.WithAddress(c.TargetAddress),
+		target.WithSessionMaxSeconds(uint32(sessionMaxSeconds)),
+	)
+
+	// Start a session
+	var start time.Time
+	ctxCancel, cancel := context.WithCancel(context.Background())
+	port := "12345"
+	sessionChannel := make(chan *e2e.CommandResult)
+	go func() {
+		start = time.Now()
+		t.Logf("Starting session... %s", start)
+		sessionChannel <- e2e.RunCommand(ctxCancel, "boundary",
+			e2e.WithArgs(
+				"connect",
+				"-target-id", newTargetId,
+				"-listen-port", port,
+				"-format", "json",
+			),
+		)
+	}()
+	t.Cleanup(cancel)
+	boundary.WaitForSessionCli(t, ctx, newProjectId)
+
+	// Start connections. Expect an error once the time limit is reached
+	t.Log("Creating connections...")
+	for {
+		t.Log(time.Now())
+		output := e2e.RunCommand(ctx, "ssh",
+			e2e.WithArgs(
+				"localhost",
+				"-p", port,
+				"-l", c.TargetSshUser,
+				"-i", c.TargetSshKeyPath,
+				"-o", "UserKnownHostsFile=/dev/null",
+				"-o", "StrictHostKeyChecking=no",
+				"-o", "IdentitiesOnly=yes", // forces the use of the provided key
+				"hostname -i;",
+			),
+		)
+
+		if output.Err != nil {
+			break
+		}
+
+		// Ensure that time limit has not been reached yet
+		// (plus a small buffer)
+		require.Less(t, time.Since(start).Seconds(), float64(sessionMaxSeconds+1))
+		time.Sleep(time.Second)
+	}
+}