Description

This article describes what happens when a user's password is changed or expires while connecting to FortiSASE VPN, and why the session remains active until the user disconnects or reauthenticates.

Scope

FortiSASE.

Solution

It is expected that a connected user session will remain active even if the password is reset, as password validation occurs only during the initial login process. Once the session is established, Fortinet SASE does not continuously validate the credentials. The updated password will only take effect during the next authentication attempt after the session is disconnected.

The timeout behavior for IPsec remote dial-up VPN connections is primarily handled by the key lifetime and reauth settings configured under Phase 1.

When reauth is disabled, FortiGate or FortiClient will automatically rekey or refresh the IPsec Phase 1 connection as the key lifetime nears expiration. In this mode, the VPN tunnel remains active without prompting the user to reauthenticate or re-enter MFA tokens.
In FortiSASE, reauth is disabled by default. As a result, even after the key lifetime expires, the tunnel will continue to operate seamlessly, and the user will not be prompted for credentials unless the session is manually disconnected.

config vpn ipsec phase1-interface
    edit "default-ipsec"
        set type dynamic
        set interface "port1"

        set reauth disable

        set keylife 86400

end