Description

This article describes how to enable the preserve-session-route on SSL VPN from the CLI.

Scope

FortiGate.

Solution

In this configuration, wan1 is the interface that is used on the SSL VPN settings.

config system interface
    edit wan1
        set preserve-session-route enable
end

CLI option:

<interface_name>          <----- The name of the interface where the user wants to configure how dynamic routing changes affect active sessions running through it.

enable                    <----- All sessions passing through the interface when the routing changes occur, are allowed to finish and are not affected by the routing changes.

disable (default)         <----- When a routing change occurs, the new routing table is applied to the active sessions passing through the interface. The routing changes cause the destinations of the sessions to change.

The benefit of enabling preserve-session-route in such cases:

Depending on whether SNAT is enabled or disabled, route lookup is done for existing sessions after a routing change.
Usually, sessions that are not SNAT-ed are marked dirty after route change and route lookup happens as per the new routing table.

Preserve Session Route keeps the session on the same interfaces after routing changes, even if the session is not SNAT-ed.

Troubleshoot:

If enabling this preserve-session-route does not resolve the SSL VPN and keeps disconnecting, access FortiGate via putty (SSH port 22) then make sure putty is set to log all sessions and run the following commands:

diagnose debug reset
diagnose debug disable
diagnose debug app fnbamd -1
diagnose debug app sslvpn -1
diagnose debug en

To stop debug:

diagnose debug disable

While this debugging is running reproduce the issue, and forward the logs to Fortinet TAC by creating a support ticket on support.fortinet.com.

Refer to the following document for additional troubleshooting tips for SSL VPN disconnections: SSL VPN disconnection issues.