Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
funkylicious
SuperUser
SuperUser

Created on ‎10-16-2024 01:37 AM Edited on ‎10-16-2024 01:40 AM

FortiClient - disconnect/reconnect issue

Hi,

 

Has anyone encountered the situation where a user disconnects from idle-timeout ( 300s ) and the Reconnecting just keep happening after a good couple of seconds ( about 60s ) and lots of logs with SSL web application blocked ?

FGT : 7.0.15 and FCT 7.2.4 ( other FCT versions also have this issue )

The sslvpn configuration looks like this ( some lines have been left out ) :

 

config vpn ssl settings
    set ssl-min-proto-ver tls1-1
    set banned-cipher CAMELLIA 3DES SHA1 STATIC
    set ssl-client-renegotiation enable
    set auth-timeout 43200
    set login-attempt-limit 3
    set login-block-time 300
    set idle-timeout 300
    set login-timeout 120
    set dtls-hello-timeout 30
    set default-portal "no-access"
    config authentication-rule
        edit 1
            set groups "SSLVPN"
            set portal "tunnel-access"
        next
    end
    set tunnel-connect-without-reauth enable
    set tunnel-user-session-timeout 60
end

 

 

 

config vpn ssl web portal
    edit "tunnel-access"
        set tunnel-mode enable
        set forticlient-download disable
        set save-password enable
        set ip-pools "SSLVPN_TUNNEL_ADDR1"
    next
    edit "no-access"
        set forticlient-download disable
    next
end

 

I also replace the default SSLVPN Login page available from the Internet to display an empty page with a custom page title

 

config system replacemsg-group
    edit "default"
        set comment "Default replacement message group."
        config sslvpn
            edit "sslvpn-login"
                set buffer "<!DOCTYPE html><html lang=\"en\" class=\"main-app\"> <head> <meta charset=\"UTF-8\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=8; IE=EDGE\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"> <link href=\"/css/main-blue.css\" rel=\"stylesheet\" type=\"text/css\"> <title> Invalid page </title> </head> <body> <div class=\"view-container\"> <form class=\"prompt\" action=\"%%SSL_ACT%%\" method=\"%%SSL_METHOD%%\" name=\"f\" autocomplete=\"off\"> </form> </div> </body></html>"
                set header http
                set format html
            next
        end
    next
end

 

 

 

Action	ssl-web-deny
Reason	unknown

Tunnel Type	ssl-web
Message	SSL web application blocked

 

 

 

prntscr.png

"jack of all trades, master of none"
"jack of all trades, master of none"
Labels:
490
0 Kudos
2 REPLIES 2
ndumaj
Staff
Staff

Created on ‎10-16-2024 03:14 AM

Hi @funkylicious 

Try to modify the login timeout and dtls-hello-timeout:
config vpn ssl settings
set login-timeout 180
set dtls-hello-timeout 60
end

Please review the following articles:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enhance-SSL-VPN-Performance-with-DTLS-Prot...
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Common-SSL-VPN-problems-and-their-so...

BR

- Happy to help, hit like and accept the solution -
460
funkylicious
SuperUser
SuperUser
In response to ndumaj

Created on ‎10-16-2024 10:07 AM

Hi,
I will try them, but for now we have increased the idle-timeout so it never disconnects the users but will try them also if needed.

I was curious about the logs and why they were present during the reconnect.

 

Thanks.

"jack of all trades, master of none"
"jack of all trades, master of none"
419
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.