The client-resume feature in FortiClient does NOT activate automatically without specific triggering conditions, such as a network change or the system resuming from sleep mode. It is important to note that the client-resume-interval is solely a configuration on the FortiGate side.

FortiClient does not interpret or act on the client-resume-interval; instead, this configuration allows FortiGate to temporarily suspend tunnel-flushing for the specified duration (in seconds) when a Dead Peer Detection (DPD) failure is identified.

In FortiClient, the client-resume setting can only be enabled or disabled:

• Enabled: Temporarily suspends DPD failure logic when a triggering condition (e.g., network or OS-level changes) is detected.
• Disabled: Consistently enforces DPD failure logic regardless of triggering conditions.

Client-resume is not triggered by packet loss, even in cases of 100% packet loss! Triggering conditions must involve network interface or operating system-level events, such as:

• Unplugging a wired network interface cable.
• Changing the connected Wi-Fi SSID.
• Resuming the computer from sleep mode (The following PowerShell one-liner and the attached PowerShell Script can be used for monitoring this).

FortiClient differentiates between a network interface being disconnected or unplugged and a network interface being disabled.

• A disconnected or unplugged network can trigger client-resume.
• A disabled network, at least in the current implementation (v7.4.2), results in the tunnel being flushed rather than triggering client-resume.

To assist with deeper analysis, a customized PowerShell script is attached to this article. When prompted for an IP address during execution, provide the IKE gateway or any other interested IP address. By using this script, one can:

• Experiment with different interface settings (e.g., disconnecting, disabling, or reconnecting the network).
• Monitor how Windows and FortiClient work together to update the Windows routing table dynamically.

This analysis will provide valuable insights into how various configurations and events affect the system's behavior in real-time. Additionally, the following PowerShell one-liner can be used to monitor IKE daemon logs for relevant entries related to DPD failures or client-resume triggers:

Get-Content -Path "C:\Program Files\Fortinet\FortiClient\logs\trace\FortiIKE_1.log" -Wait -Tail 10 | Select-String -Pattern "dpd|resume|network|flush|delete|established|install|vnic|metric|nw|daemon|route"

The attached PowerShell script can be used in general with IPSec or SSL VPN. It is useful for troubleshooting L3 and OS-related issues of SSL or IPSec dialup VPN (such as always up (keep running) or auto-connect) or problems with VPN stuck in connecting in the FortiClient Console GUI.

Related documents:

Bulletproofing SSL and IPsec Dial-Up VPN ... - Fortinet Community

IKEv2 session resumption 7.4.1 | FortiClient 7.4.0 | Fortinet Document Library

Resuming sessions for IPsec tunnel IKE version 2 7.4.4 | FortiGate / FortiOS 7.4.0 | Fortinet Docume...

DPD example | FortiClient 7.4.2 | Fortinet Document Library