Description | This article describes random or intermittent disconnections of the SSL-VPN tunnel to the FortiGate when connected with FortiClient. |
Scope | FortiGate, FortiClient. |
Solution |
Below are some of the things to keep in mind when working with SSL-VPN disconnection issues:
-> Understand the scope of the issue, i.e. whether all users or some users are having the SSL-VPN disconnection issue.
-> See if there are any applications on the client computer which could conflict with FortiClient (For example Cisco's Anyconnect). Use a test computer in the client's network with no other 3rd party applications if possible.
-> Check the configuration on FortiGate for any traffic shapers applied on the WAN interface, DoS policies, and local-in policies created. Adjust it as per the requirement or disable it while testing.
-> For higher-end units, there could be IPv4 access control lists, which could be checked and disabled for testing.
-> Test with DTLS or TLS connections. Below is an article on how to enable DTLS for SSL-VPN connections. Try disabling it, if already enabled.
-> Look into the crashlogs on the FortiGate. i.e. '# diag debug crashlog read'.
-> Perform basic configuration checks on the FortiGate pertaining to SSL-VPN.
-> See if the end-user is connected using a Wired or Wireless connection on their network. Use a wired connection if possible in the user's network.
-> The issue might occur if there are multiple interfaces connected to the Internet, for example, SD-WAN. This can cause the session to become 'dirty'. To allow multiple interfaces to connect, use the following CLI commands.
If FortiOS 6.0.1 or later is used:
# config system interface
Refer to the below document for more information:
-> If a SSL-VPN tunnel connection is terminated with the log message 'Deleted to make way for another session', then apply the below commands:
# config vpn ssl web portal
Refer to the below document for more information:
-> Authentication Timeout and idle timeout settings could also be checked on the FortiGate:
By default, a SSL-VPN connection logouts after 8 hours due to auth-timeout.
set auth-timeout 28800 end
Default value is 300 seconds (5 minutes). Range: <0> to <259200>.
The auth-timeout is the period of time in seconds that the SSL-VPN will wait before re-authentication is enforced.
A value of 0 indicates no timeout.
Refer to the below document for more information:
-> If the issue is limited to a particular user or a few users, then ask the user or users to use another network (for example mobile hotspot) and see if the issue is reproduced.
-> Some logs/errors in the SSL-VPN logs could be seen with the Reason 'DH lib' and Action 'ssl-exit-error' after the user's connection disconnects and tries to connect again to the SSL-VPN. The tunnel disconnection could be caused due to ISP issues, client-side issues or packets not reaching FortiGate's SSL-VPN process. The error does not necessarily indicate a problem with FortiGate if only 1 user or certain users are having issues. So, a good action plan is useful in determining whether the issue lies on FortiGate or not.
Below are the steps that could be performed, before opening up a ticket with technical support as that would speed up the troubleshooting process and help in finding out the root cause of the issue:
Note. All debugs/sniffers/traffic tests need to be run concurrently and need to have timestamps.
Enable logging of the putty session by following the below document:
1). Enable Debugs on the FortiClient:
2). Go to folder %appdata%\forticlient\logs\trace, get the file like 'sslvpndaemon_x.log'. (Collect the file before and after the disconnection.)
3). Debugs on FortiGate in a SSH session:
# diag deb reset
After collecting logs, disable debug:
# di deb reset
4). Sniffer1 on FortiGate in a SSH session:
# diag sniffer packet <WAN interface name> 'host <Public IP of the user>' 4 0 l
5). Sniffer2 on FortiGate in a SSH session:
# diag sniffer packet <WAN interface name> 'host <Public IP of the user>' 6 0 l
6). From FortiClient machine ping test to FortiGate external interface (timestamp).
# ping -t x.x.x.x|cmd /q /v /c "(pause&pause)>nul & for /l %a in () do (set /p "data=" && echo(!date! !time! !data!)&ping -n 2 x.x.x.x>nul"
7). From FortiClient machine ping test to external IP like the Fortigate's Default Gateway (timestamp).
8). From FortiClient machine ping test to internal unit through the tunnel like a server (timestamp).
# ping -t a.a.a.a|cmd /q /v /c "(pause&pause)>nul & for /l %a in () do (set /p "data=" && echo(!date! !time! !data!)&ping -n 2 a.a.a.a>nul"
9). Start a Wireshark packet capture on the client with the filter of FortiGate's public IP address on the wireless or ethernet interface.
10). Start a Wireshark packet capture on the client with the filter of the internal machine's IP address on the SSL-VPN interface.
11). Sniff the ICMP packets on FortiGate for the internal machine's IP address that was started in step 8.
12). Go to C:\ProgramFiles\Fortinet\FortiClient\logs\trace and collect the file like 'sslvpndaemon_x.log'
13). Once the connection drop occurs, then collect & attach the debug/sniffers, SSLVPN logs & System Event Logs from FortiGate, ask the client to note downtime if the issue occurs.
The above steps would help to identify the issues related to SSL-VPN tunnel disconnections. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.