Description
This article describes how an SSL VPN connection does not get disconnected even after the connection is idle for a long time.
Solution
show full vpn ssl setting | grep "idle-timeout"
The default idle-timeout value is 300 seconds (5 minutes).
To change the idle-timeout value use the below setting:
config vpn ssl setting
set idle-timeout xx <- Seconds value from <0> to <259200>.
end
Check the DNS setting in the SSL VPN, if using local DNS in SSL-VPN then whenever DNS traffic is communicated via SSL VPN tunnel, the idle timeout value will get reset.
show full vpn ssl setting | grep “dns server”
Check the idle-timeout value of the user using the below command:
get vpn ssl monitor | grep <user name>
The output will be as below:
get vpn ssl monitor | grep test
SSL VPN Login Users:
Index User Auth Type Timeout From HTTP in/out HTTPS in/out
0 test 1(1) 247 10.5.59.93 0/0 0/0 <<<<<<,
Index User Source IP Duration I/O Bytes Tunnel/Dest IP
0 test 10.5.59.93 121 0/0 10.212.134.200
If the SSL VPN connection is idle, the timeout index will get decremented to 0 and SSL-VPN connection from 10.5.59.93 will get disconnected.
If the SSL VPN connection is idle but the timeout index is getting reset, run the sniffer to monitor the traffic.
dia sniffer packet any “host <SSLVPN client ip>” 4
Note:
If SSDP and LLMNR service is enabled in the client Windows PC, then Windows will notice the traffic to multicast address 239.255.255.250 or 224.0.0.252 on UDP port numbers 1900 and 5355 respectively. While mDNS using multicast address 224.0.0.251 port UDP 5353.
Windows has the tendency to push multicast traffic on all active NIC cards/adaptors. Hence, FortiGate will receive SSDP traffic or Link-local Multicast Name Resolution traffic via SSL VPN tunnel and idle-timeout will get reset.
Traffic towards the Firewall from the Client PC:
Line 185: 2020-04-22 07:52:08.945712 ssl.root in 10.X.X.X.65160 -> 224.0.0.252.5355: udp 21
Line 191: 2020-04-22 07:52:08.945912 ssl.root in 10. X.X.X.53685 -> 224.0.0.252.5355: udp 21
Line 197: 2020-04-22 07:52:09.347367 ssl.root in 10. X.X.X.65160 -> 224.0.0.252.5355: udp 21
Line 203: 2020-04-22 07:52:09.347617 ssl.root in 10. X.X.X.53685 -> 224.0.0.252.5355: udp 21
The workaround solution for SSDP traffic is to disable these protocols on the client PC in order to trigger an idle timeout.
Note: After applying the Group Policy, it may take some time for the changes to take effect on the user devices. The user might need to restart the DNS Client service or even reboot the devices for the changes to be fully applied. The workaround solution is to disable these protocols on the user's PC in order to trigger an idle timeout.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.