Troubleshooting Tip: Addressing VPN connection issues due to frequent IP-address changes on LTE/5G mobile networks
| Description | This article describes a solution for VPN connection failures due to frequent IP-address updates when on a mobile network. |
| Scope | FortiGate, FortiClient. |
| Solution | Most mobile networks do not assign a unique public IP to each device. Instead, they put millions of devices behind shared NAT pools. This means the public IP can change:
These changes can happen every few minutes, sometimes even within seconds.
SSL VPN.
If mobile device's IP-address change results in SSL VPN connection failure, use the following command on FortiGate:
config vpn ssl settings set auth-session-check-source-ip disable
It is critical to understand the security implications (i.e. session hijacking) of disabling this feature, hence, make sure to exercise caution when introducing this fix.
Note:
IPsec.
It is worth mentioning that there's no such configuration for IPsec. Although, other methods are available for addressing frequent IP-address changes when on mobile networks.
The two features that can improve user experience are session resumption - available with IKEv2 and configured on FortiGate (Refer to this article: Troubleshooting Tip: Bulletproofing SSL and IPsec Dial-Up VPN Connections) - and Always-Up setup via Remote Access endpoint profile on FortiClientEMS.
Related document: Save password, auto connect, and always up | FortiClient 7.4.5 | Fortinet Document Library |