diff --git a/heat/common/context.py b/heat/common/context.py
index c2b48611ae..bc516030da 100644
--- a/heat/common/context.py
+++ b/heat/common/context.py
@@ -38,6 +38,8 @@ from heat.engine import clients
 LOG = logging.getLogger(__name__)
 
 
+cfg.CONF.import_opt('client_retry_limit', 'heat.common.config')
+
 # Note, we yield the options via list_opts to enable generation of the
 # sample heat.conf, but we don't register these options directly via
 # cfg.CONF.register*, it's done via ks_loading.register_auth_conf_options
@@ -122,6 +124,7 @@ class RequestContext(context.RequestContext):
         self._session = None
         self._clients = None
         self._keystone_session = session.Session(
+            connect_retries=cfg.CONF.client_retry_limit,
             **config.get_ssl_options('keystone'))
         self.trust_id = trust_id
         self.trustor_user_id = trustor_user_id
diff --git a/lower-constraints.txt b/lower-constraints.txt
index e7bd5f3fd2..b0678d3db9 100644
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@@ -42,7 +42,7 @@ jmespath==0.9.3
 jsonpatch==1.21
 jsonpointer==2.0
 jsonschema==2.6.0
-keystoneauth1==3.4.0
+keystoneauth1==3.18.0
 keystonemiddleware==4.17.0
 kombu==4.0.0
 linecache2==1.0.0
diff --git a/requirements.txt b/requirements.txt
index a194c349d9..656bfaca27 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -7,7 +7,7 @@ Babel!=2.4.0,>=2.3.4 # BSD
 croniter>=0.3.4 # MIT License
 cryptography>=2.1 # BSD/Apache-2.0
 eventlet!=0.18.3,!=0.20.1,!=0.21.0,!=0.23.0,!=0.25.0,>=0.18.2 # MIT
-keystoneauth1>=3.4.0 # Apache-2.0
+keystoneauth1>=3.18.0 # Apache-2.0
 keystonemiddleware>=4.17.0 # Apache-2.0
 lxml!=3.7.0,>=3.4.1 # BSD
 netaddr>=0.7.18 # BSD