Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
stukat
New Contributor

Keep alive

I am using SSL-VPN (FortiClient 5.0.7.333) with a 100D. It is still in its testing phase and I have had several users complain about the tunnel dropping. My understanding from them is that their sessions were active when this happened. I went into the FortiGate, Endpoint Protection, FortiClient Profiles, and verified that keepalive is set to 180000 seconds. Can I do anything else to ensure that the tunnel remains up & active regardless of (in)activity? <endpoint_control> <enabled>1</enabled> <!--keepalive timeout in seconds--> <keepalive_timeout>1800000</keepalive_timeout> <custom_ping_server /> <offnet_update>1</offnet_update>
4 REPLIES 4
emnoc
Esteemed Contributor III

What do you have configured for SSL inactivity timers? It might as simple as setting the timer to " 0" , but that might not be wise in a high count env e.g config vpn ssl settings set sslvpn-enable enable set sslv3 enable set dns-server1 0.0.0.0 set dns-server2 0.0.0.0 set route-source-interface disable set reqclientcert disable set sslv2 disable set force-two-factor-auth disable set force-utf8-login disable set servercert " self-sign" set algorithm default set idle-timeout 300 <--change this to " 0" set auth-timeout 28800 set tunnel-ip-pools " SSLVPN-P-TUN-0" set portal-heading ' ' set wins-server1 0.0.0.0 set wins-server2 0.0.0.0 set url-obscuration disable set http-compression disable end

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
stukat
New Contributor

I anticipate fewer than 50 connections at any given time. I have made the change to the idle-timeout and am hopeful this will resolve the issue. Thanks for your help.
stukat
New Contributor

I tested it last night and while the VPN was up I noticed that the times only showed 34 minutes. It should have been up about 7 hours. I gather it dropped and reconnected. I also added the " always up" command to the VPN. IS this necessary?
emnoc
Esteemed Contributor III

Yes that should be okay and you can check the logs for the last vpn ssl-establishments to confirm. Also the forticlient has a setting worded such as ; " Keep connection alive until manually stop" You should review the client' s foriclient settings.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors