-FGT 200E
-Firmware v6.0.2 build0163 (GA)
Auth-timeout had been set to 2 hours (don't ask...) and was working fine. Change was made to make it 6 hours. Done. Worked fine for 2-3 days. Now its not applying at all. Changed it from 21600 -> 21500 to see if updating it would make a difference. It didn't. Any thoughts? Troubleshooting steps I can take?
config vpn ssl settings
set servercert "MYCERT"
set auth-timeout 21500
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set dns-server1 xxx.xxx.xxx.xxx
set dns-server2 xxx.xxx.xxx.xxx
set source-interface "port3"
set source-address "VPN_Allow_CDN" "VPN_Allow_USA"
set default-portal "web-access"
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Try this a couple of times. The first like is showing active SSL VPN user ("tesumi" is my login name). The second like is showing the same user's session information. Focus on the 4th column. The number on the first line is "timeout" which is counting down, and the number on the second like is "duration", which is counting up. If I add them together, 23166 + 5634 = 28800, I get 8h default value of auth-timer every time. Do you see some odd numbers showing up? Or what happens after 6h when the timer is supposed to timed out?
xxx-fg2 (corp) # get vpn ssl monitor | grep tesumi 86 tesumi 8(1) 23166 xx.xxx.xx.xx 0/0 0/0 86 tesumi xx.xxx.xx.xx 5634 3361024/26394207 yy.yy.yy.y xxx-fg2 (corp) # get vpn ssl monitor | grep tesumi 86 tesumi 8(1) 23164 xx.xxx.xx.xx 0/0 0/0 86 tesumi xx.xxx.xx.xx 5636 3361024/26394249 yy.yy.yy.y
36 username 2(1) 293 x.x.x.x 0/0 0/0
36 username x.x.x.x 12158 22607048/207823406 10.212.0.38
So that doesn't add up right. 293+12158 = 12451. Not the auth-timeout I have set nor is it disconnecting at that time. When 6 hours is reached, nothing happens, they stay connected.
Then I tried another user and the times seem to be jumping both ways???
FG200E(VPN) # get vpn ssl monitor | grep user2
18 user2 2(1) 287 x.x.x.x 0/0 0/0
18 user2 x.x.x.x 14088 24612803/70822185 10.212.0.20
FG200E(VPN) # get vpn ssl monitor | grep user2
18 user2 2(1) 287 x.x.x.x 0/0 0/0
18 user2 x.x.x.x 14088 24612803/70822185 10.212.0.20
FG200E(VPN) # get vpn ssl monitor | grep user2
18 user2 2(1) 300 x.x.x.x 0/0 0/0
18 user2 x.x.x.x 14089 24612847/70822456 10.212.0.20
FG200E(VPN) # get vpn ssl monitor | grep user2
18 user2 2(1) 300 x.x.x.x 0/0 0/0
18 user2 x.x.x.x 14089 24612847/70822456 10.212.0.20
FG200E(VPN) # get vpn ssl monitor | grep user2
18 user2 2(1) 295 x.x.x.x 0/0 0/0
18 user2 x.x.x.x 14094 24612936/70822676 10.212.0.20
FG200E(VPN) # get vpn ssl monitor | grep user2
18 user2 2(1) 290 x.x.x.x 0/0 0/0
18 user2 x.x.x.x 14099 24613209/70822718 10.212.0.20
Sounds like a bug to me. I would either look for a bug fix in all release notes from 6.0.3 to 6.0.9, or simply upgrade to one of those, if can't wait TAC to research on it after opening a ticket.
if the setting was working fine previously ,you need to check with DNS and ssl certificate validation.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.