Skip to main content
stukat
stukat
New Member
June 23, 2014
Question

Keep alive

  • June 23, 2014
  • 4 replies
  • 25103 views
I am using SSL-VPN (FortiClient 5.0.7.333) with a 100D. It is still in its testing phase and I have had several users complain about the tunnel dropping. My understanding from them is that their sessions were active when this happened. I went into the FortiGate, Endpoint Protection, FortiClient Profiles, and verified that keepalive is set to 180000 seconds. Can I do anything else to ensure that the tunnel remains up & active regardless of (in)activity? <endpoint_control> <enabled>1</enabled> <!--keepalive timeout in seconds--> <keepalive_timeout>1800000</keepalive_timeout> <custom_ping_server /> <offnet_update>1</offnet_update>

    4 replies

    emnoc
    emnoc
    New Member
    June 23, 2014
    What do you have configured for SSL inactivity timers? It might as simple as setting the timer to " 0" , but that might not be wise in a high count env e.g config vpn ssl settings set sslvpn-enable enable set sslv3 enable set dns-server1 0.0.0.0 set dns-server2 0.0.0.0 set route-source-interface disable set reqclientcert disable set sslv2 disable set force-two-factor-auth disable set force-utf8-login disable set servercert " self-sign" set algorithm default set idle-timeout 300 <--change this to " 0" set auth-timeout 28800 set tunnel-ip-pools " SSLVPN-P-TUN-0" set portal-heading ' ' set wins-server1 0.0.0.0 set wins-server2 0.0.0.0 set url-obscuration disable set http-compression disable end
    stukat
    stukatAuthor
    New Member
    June 23, 2014
    I anticipate fewer than 50 connections at any given time. I have made the change to the idle-timeout and am hopeful this will resolve the issue. Thanks for your help.
    stukat
    stukatAuthor
    New Member
    June 24, 2014
    I tested it last night and while the VPN was up I noticed that the times only showed 34 minutes. It should have been up about 7 hours. I gather it dropped and reconnected. I also added the " always up" command to the VPN. IS this necessary?
    emnoc
    emnoc
    New Member
    June 24, 2014
    Yes that should be okay and you can check the logs for the last vpn ssl-establishments to confirm. Also the forticlient has a setting worded such as ; " Keep connection alive until manually stop" You should review the client' s foriclient settings.
    Terms & ConditionsAccessibility statement