FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 197976


This article describes how to enable the preserve-session-route on SSL VPN from the CLI.


In this configuration, wan1 is the interface that is used on the SSL VPN settings.


config system interface
    edit wan1
        set preserve-session-route enable


CLI option:


<interface_name>          <----- The name of the interface where the user wants to configure how dynamic routing changes affect active sessions running through it.

enable                    <----- All sessions passing through the interface when the routing changes occur, are allowed to finish and are not affected by the routing changes.

disable (default)         <----- When a routing change occurs, the new routing table is applied to the active sessions passing through the interface. The routing changes causes the destinations of the sessions to change.


The benefit of enabling preserve-session-route in such cases:

Depending on SNAT is enabled or disabled, route lookup is done for existing sessions after a routing change.
Usually, sessions that are not SNAT-ed are marked dirty after route change and route lookup happens as per the new routing table.

Preserve Session Route keeps the session on the same interfaces after routing changes, even if the session is not SNAT-ed.



If enabling this preserve-session-route does not resolve the SSL VPN and keep disconnecting, access FortiGate via putty (ssh port 22) then make sure putty is set to log all session and run the following commands:


diag debug reset
diag debug disable
diag debug app fnbamd -1
diag debug app sslvpn -1
diag debug en


While this debugging is running reproduce the issue.
Once done reproducing the issue run di de di to stop the debugging then forward the logs to Fortinet TAC by creating a support ticket on