Created on
04-20-2020
10:07 AM
Edited on
08-04-2025
05:54 AM
By
Jean-Philippe_P
Description
This article describes how to limit users to one active SSL VPN connection at a time.
Scope
FortiGate v6.2.6 and above.
Solution
From the FortiGate GUI: VPN -> SSL VPN Portals, edit SSL-VPN Portal and enable: 'Limit Users to One SSL-VPN Connection at a Time'.
Select '[Yes]' and the existing session will be terminated.
Make sure that the policy has the exact group or user as a source matching the authentication rule under SSL VPN settings.
For example :
User 'test1' should be matched with the 'tunnel-access' VPN portal, and it has 'Limit Users to One SSL-VPN Connection at a Time' enabled under it. All other users/groups should be matched with the 'full-access' VPN portal.
The policy sequence order also matters, so make sure to put the user-specified policy on top of the user group policy, as shown in the screenshot below.
If a top policy is not configured and only the second policy is configured, then the SSL VPN limit per connection would not be considered because the connection would be allowed with the second authentication rule from SSL VPN settings and would get matched with the 'full-access' VPN portal instead of the 'tunnel-access' VPN portal. Even if user 'test1' is a part of VPN_Group, the SSL VPN user limit will not be considered.
Note:
Notice that if this feature is enabled but FortiGate is still exhausting the IP address pool, this can be due to an existing defect: '663532' (It is fixed in v6.2.6): 663532: Get no more IP address available error when users connect to SSL VPN after upgrading to 6.2...
If it is hitting this defect, some indexes may be lost and not continuous:
get vpn ssl monitor
Compare the sessions, with which the command line only shows 1 session, while the GUI shows the number of sessions:
diagnose vpn ssl list
If it is hitting the defect, please consider the following actions:
To list all SSL VPN sessions and their index numbers:
execute vpn sslvpn list
To disconnect a tunnel mode user:
execute vpn sslvpn del-tunnel <index>
To disconnect a web mode user:
execute vpn sslvpn del-web <index>
Note:
Starting v7.6.3, the SSL VPN tunnel mode will no longer be supported, and SSL VPN web mode will be called 'Agentless VPN' as explained in Technical Tip: Upcoming changes on SSL VPN modes starting from v7.6.3.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.