| Description | This article describes the behavior of FortiGate with its SSL VPN sessions after importing an intermediate CA certificate (i.e. remote CA certificate). |
| Scope | FortiGate. |
| Solution |
Whenever importing any remote CA certificate for the first time to the FortiGate, it will disconnect all active SSLV PN connections. However, next time re-adding the remote CA certificate, FortiGate will not disconnect all active SSL VPN connections.
For demonstration, there is a FortiGate running v7.4.1, endpoint connecting to the SSL VPN using FortiClient VPN-only edition, version 7.0.10:
For demonstration purposes, after generating a CSR on the FortiGate, the certificate will be obtained from getacert.com and the local certificate downloaded. The site intermediate CA certificate is imported as the remote CA certificate:
Importing the local certificate to the Gate does not make the FortiGate disconnect the session (it is possible to check the 'duration' field on FortiClient):
However, importing the remote CA certificate for the first time disconnects the active SSL VPN sessions:
The next attempt to add the same intermediate CA certificate while the endpoint is connected to the SSL VPN will not disconnect the active session. After re-connecting the session, proceed to delete the remote CA certificate with the default name CA_Cert_1 and re-add again.
Here is an active session after re-connecting to the SSL VPN tunnel:
Re-adding the same R3.crt certificate while having an active SSL VPN session:
After the certificate is imported, the SSL VPN connection is still active:
|
