Description
This article describes a known limitation of IPsec dialup VPN gateways.
Scope
FortiGate v7 and earlier.
Solution
Currently FortiOS does not support limiting IPsec VPN users to one connection at a time. If the same user authenticates and connects from multiple endpoints, both IPsec VPN connections will be maintained simultaneously. The 'auth-concurrent' settings do not apply to VPN users, only to firewall authentication and captive portal authentication. See Technical Tip: 'policy-auth-concurrent' system global command clarified for a description of these settings.
If VPN connections are being maintained for longer than expected with no data traffic (e.g. when the remote endpoint is powered off and not sending any traffic), review the firewall DPD configuration. If needed, it is possible to modify the default 'On Demand' Dead Peer Detection setting to 'On Idle': with this setting the firewall will probe and eventually close idle tunnels when no reply or traffic is seen from the endpoint. However, setting DPD to 'On Idle' has a performance cost in large VPN deployments and is not recommended for such environments. See Technical Tip: Explanation of the DPD effect on a dialup IPsec tunnel SA lifetime.
SSL VPN does have a feature enabling limiting users to one SSL VPN connection at a time, see Technical Tip: Multiple sessions of SSL VPN users. However, SSL VPN tunnel mode is removed in FortiOS v7.6.3 and it is recommended to migrate to IPsec VPN for remote access. SSL VPN web mode is retained for many models and renamed to Agentless VPN.
Related document:
SSL VPN tunnel mode replaced with IPsec VPN
