|
In some mobile internet providers (4G/5G), such as the scenario observed with the Vivo carrier, the client’s public IP address may change during the SSL VPN authentication process. By default, FortiGate verifies that the source IP address remains unchanged during the entire authentication session (auth-session-check-source-ip).
When this IP change occurs after the initial authentication,FortiGate detects a mismatch between the current source IP and the IP recorded at the beginning of the session. This inconsistency triggers the 'source IP check failed' error, causing the VPN connection to be terminated a few seconds after being established, even when the credentials are valid.
On Android devices, the following error is displayed during the authentication process: 'Error: Revoked by Android: REBOOT!'
To resolve this issue and allow authentication even if the session token presents a different source IP, disable the source IP check for SSL VPN connection by running the following command in the FortiGate CLI:
config vpn ssl settings
set auth-session-check-source-ip disable
end
Disabling the auth-session-check-source-ip parameter does not affect the authentication process or the SSL VPN encryption mechanisms. This change simply allows FortiGate to stop enforcing source IP consistency during the authentication phase, improving compatibility with mobile networks.
|
