- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiClient - disconnect/reconnect issue
Hi,
Has anyone encountered the situation where a user disconnects from idle-timeout ( 300s ) and the Reconnecting just keep happening after a good couple of seconds ( about 60s ) and lots of logs with SSL web application blocked ?
FGT : 7.0.15 and FCT 7.2.4 ( other FCT versions also have this issue )
The sslvpn configuration looks like this ( some lines have been left out ) :
config vpn ssl settings
set ssl-min-proto-ver tls1-1
set banned-cipher CAMELLIA 3DES SHA1 STATIC
set ssl-client-renegotiation enable
set auth-timeout 43200
set login-attempt-limit 3
set login-block-time 300
set idle-timeout 300
set login-timeout 120
set dtls-hello-timeout 30
set default-portal "no-access"
config authentication-rule
edit 1
set groups "SSLVPN"
set portal "tunnel-access"
next
end
set tunnel-connect-without-reauth enable
set tunnel-user-session-timeout 60
end
config vpn ssl web portal
edit "tunnel-access"
set tunnel-mode enable
set forticlient-download disable
set save-password enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
next
edit "no-access"
set forticlient-download disable
next
end
I also replace the default SSLVPN Login page available from the Internet to display an empty page with a custom page title
config system replacemsg-group
edit "default"
set comment "Default replacement message group."
config sslvpn
edit "sslvpn-login"
set buffer "<!DOCTYPE html><html lang=\"en\" class=\"main-app\"> <head> <meta charset=\"UTF-8\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=8; IE=EDGE\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"> <link href=\"/css/main-blue.css\" rel=\"stylesheet\" type=\"text/css\"> <title> Invalid page </title> </head> <body> <div class=\"view-container\"> <form class=\"prompt\" action=\"%%SSL_ACT%%\" method=\"%%SSL_METHOD%%\" name=\"f\" autocomplete=\"off\"> </form> </div> </body></html>"
set header http
set format html
next
end
next
end
Action ssl-web-deny
Reason unknown
Tunnel Type ssl-web
Message SSL web application blocked
- Labels:
-
FortiClient
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @funkylicious
Try to modify the login timeout and dtls-hello-timeout:
config vpn ssl settings
set login-timeout 180
set dtls-hello-timeout 60
end
Please review the following articles:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enhance-SSL-VPN-Performance-with-DTLS-Prot...
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Common-SSL-VPN-problems-and-their-so...
BR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I will try them, but for now we have increased the idle-timeout so it never disconnects the users but will try them also if needed.
I was curious about the logs and why they were present during the reconnect.
Thanks.
