SSLVPN login fails before 7AM EDT

Forum|Forum|2 years ago
April 22, 2024
3 replies
1198 views

I have at least three customer sites that have users complaining that they cannot log in to the SSLVPN on their firewalls before 7AM Eastern. All three customer sites are running 7.0.14. Two of them are SAML for auth, one is LDAP. They were all exhibiting the same problem when they were running on 6.4.15.

Multiple attempts before 7AM fail, and shortly after that the attempts succeed. It doesn't appear to matter if the user suspends the computer or not overnight, or if they manually disconnect at the end of the day vs just letting the connection drop.

At least one group of users is getting the error message "Login Page did not respond within time limit", which in google points me at setting the global auth timeout setting to 30s -- it's already 60s, so that isn't it.

Anyone have any other ideas that I should look at?

SSL-VPN

AEK

SuperUser

Do you have any related local-in-policy with a schedule?

config firewall local-in-policy

AEK

ede_pfau

SuperUser

I would set the FGT's clock to 6:55 AM one night, and try to connect. If I get an error, it's the FGT.

Besides schedules you should have a look at when updates are drawn, maybe the CPU spikes for too long when ingesting the updates (which would indicate an issue in FortiOS).

akanibek

Staff

I would also suggest to grab debugs for nonworking, and working attempts:

diag debug reset

diag debug console timestamp enable

#diag debug app fnbamd -1 << for LDAP

#diag debug app samld -1 << for SAML

diag debug app sslvpn -1

diagnose debug enable

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded