Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Federico_Vecchiatti
New Contributor II

Created on ‎02-16-2012 09:40 AM

Best practices for auth-timeout and idle-timeout in sslvpn

Which is the best practices for the sslvpn timeout settings you are using ? My problem is that when a SSLVPN disconnected due to line problem (and not by the user), the VPN cannot reconnect before the idle-timeout. The CLI user guide state: " When you configure the timeout settings, if you set the authentication timeout (auth-timeout) to 0, then the remote client does not have to re-authenticate again unless they log out of the system. In order to fully take advantage of this setting, the value for idle-timeout has to be set to 0 also, so the client does not timeout if the maximum idle time is reached. If the idle-timeout is not set to the infinite value, the system will log out if it reaches the limit set, regardless of the auth-timeout setting." But will this configuration work in case of disconnect due to line issue and not by the user ? Without the idle-timeout my idea is that the session will not timeout so the user will not be able to connect anymore. Many thanks. Federico
8201
0 Kudos
3 REPLIES 3
rwpatterson
Valued Contributor III

Created on ‎02-16-2012 09:45 AM

Try it. Set up a laptop, connect in, then pull the wire. See if you have to re-authenticate. I meant pull the wire to the laptop.... ;)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
3728
0 Kudos
Federico_Vecchiatti
New Contributor II

Created on ‎02-17-2012 12:14 AM

Testing in production with an average of 50 users can lead to at least two scenario: - the configuration works: after being disconnected (when you change the ssl vpn setting tunnels are restarted) all the users reconnect at first retry. All will be happy. - the configuration doesn' t works as expected: I' ll have 50 users unable to connect since the session were disconnected at firewall side. After some retry the client won' t reconnect even if the " keep connection alive .. " is on. At this point I' ll not be able to say if the issue is with idle-timeout or auth-timeout, so I' ll have to going back to the old configuration, without being able to say what happend ... Since we cannot say that FGT Q&A is always the best (otherwise we will all running the latest firmware ..) I prefere to see if someone is using this configuration and if someone has some experience with this item. Many thanks. Federico
3728
0 Kudos
BernhardM
New Contributor

Created on ‎02-17-2012 08:16 AM

Hi! Do you have Problems with the VPN or are you thinking about? I have the default values: auth-timeout 28800 = 8hours idle-timeout 900 = 15min wenn I connect with SSL-VPN Client and pull the (WLAN)-wire the Client looses after ~30 seconds the connection. wenn I reconnect the WLAN, I can reconnect immediately (by pressing the Connect button) I cannot say what' s happening after 8hours - never tested. br Bernhard
FGT 60C
FGT 60C
3728
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.