Technical Tip: Auto failover to secondary SSL VPN remote gateway not working in FortiClient

princes · ‎10-21-2024

Description

This article describes that If users are using FortiClient to connect with SSL VPN configured on the FortiGate then have mentioned primary and secondary remote gateway for failover in case the primary goes down. Now in this setup, the control to start SSL negotiation is on the endpoint level (FortiClient).

FortiGate will always respond from the gateway it received SSL negotiation packets on.

Scope

FortiClient.

Solution

This can be verified with a packet sniffer on FortiGate, which only receives traffic from the primary gateway. If the primary gateway goes down it will not do automatic failover (for the free version of FortiClient)

Screenshot 2024-10-21 144044.png

If the primary gateway goes down user needs to change the remote gateway manually .(all free versions of FortiClient)

Here are the workarounds to make this auto-failover for SSL gateway possible:

Take an EMS license so multiple remote gateways can be configured with auto-failover mode.
Manually change the remote gateway each time a failover is required.
Or create a single DDNS instead of multiple IP addresses (those should resolved in any of the active Interface IP addresses on FortiGate).