We are having an issue with our FortiClient users not reconnecting after a brief network drop on their home internet. If they have a quick drop, we measured it at about 10sec, the VPN will reconnect/stay alive. But if they drop their internet for more than that it prompts them to login again. This causes issues with open files on the network shares and is inconvenient to the enduser.
I believe we have the auto reconnect setup properly in the FortiClient EMS Cloud (needed to modify XML according to Fortinet support) and we have the FortiGate 200E setup to allow the auto reconnect.
I've searched and searched for a solution but haven't been able to resolve it. I should note that we are using DUO for MFA, not sure if that is a factor in it.
Asking for any insight. I've included the current SSL settings on the firewall.
Thanks,
David
FortiOS 7.0.9
FortiClient 7.0.7
FortiGate 200E
# config vpn ssl setting
(settings) # get
status : enable
reqclientcert : disable
ssl-max-proto-ver : tls1-3
ssl-min-proto-ver : tls1-1
banned-cipher :
ciphersuite : TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
ssl-insert-empty-fragment: enable
https-redirect : disable
x-content-type-options: enable
ssl-client-renegotiation: disable
force-two-factor-auth: disable
servercert : <*removed for security*>
algorithm : high
idle-timeout : 28800
auth-timeout : 79200
login-attempt-limit : 2
login-block-time : 60
login-timeout : 30
dtls-hello-timeout : 30
tunnel-ip-pools : "SSLVPN_TUNNEL_ADDR1"
tunnel-ipv6-pools : "SSLVPN_TUNNEL_IPv6_ADDR1"
dns-suffix : mfbonline.com
dns-server1 : <*removed for security*>
dns-server2 : <*removed for security*>
wins-server1 : 0.0.0.0
wins-server2 : 0.0.0.0
ipv6-dns-server1 : ::
ipv6-dns-server2 : ::
ipv6-wins-server1 : ::
ipv6-wins-server2 : ::
url-obscuration : disable
http-compression : disable
http-only-cookie : enable
port : <*removed for security*>
port-precedence : enable
auto-tunnel-static-route: enable
header-x-forwarded-for: add
source-interface : "WAN"
source-address : "US_ONLY"
source-address-negate: disable
source-address6 :
source-address6-negate: disable
default-portal : web-access
authentication-rule:
== [ 1 ]
id: 1
dtls-tunnel : enable
check-referer : disable
http-request-header-timeout: 20
http-request-body-timeout: 30
auth-session-check-source-ip: enable
tunnel-connect-without-reauth: disable
hsts-include-subdomains: disable
transform-backward-slashes: disable
encode-2f-sequence : disable
encrypt-and-store-password: disable
client-sigalgs : all
dual-stack-mode : disable
tunnel-addr-assigned-method: first-available
saml-redirect-port : <*removed for security*>
web-mode-snat : disable
dtls-max-proto-ver : dtls1-2
dtls-min-proto-ver : dtls1-0
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi, look in these two documents for the "Always Up (Keep Alive)" feature. It must be enabled on both Fortigate and ForticlientEMS side:
https://docs.fortinet.com/document/forticlient/7.0.7/ems-administration-guide
https://docs.fortinet.com/document/forticlient/7.0.7/xml-reference-guide
So, more testing and messing around with it...I got the reconnect to work okay. By enabling the "Save Password" option (which I'm really not crazy about doing), it auto-reconnected the user when their network dropped. It does require them to accept the DUO push notification again, which help me feel a little better.
So when their network drops, the VPN message comes up after about 20-30seconds and says the SSL VPN is down. Once the network comes back up, it does the reconnecting, prompts the user to accept the DUO push, then reconnects with no issue. The only way it will permanently disconnect is 1) Choose Disconnect from the FortiClient console, 2) Shutdown the FortiClient, or 3) to Reboot.
Thanks for all the help.
-David
Created on 01-15-2023 08:31 AM
I hope this article helps
Hi, look in these two documents for the "Always Up (Keep Alive)" feature. It must be enabled on both Fortigate and ForticlientEMS side:
https://docs.fortinet.com/document/forticlient/7.0.7/ems-administration-guide
https://docs.fortinet.com/document/forticlient/7.0.7/xml-reference-guide
Yea, I've looked at those docs. The only setting on EMS that I don't have set is the Save Password option. I wasn't keen on allowing users to save their password for the VPN. Seems to be a possible security hole. Is that really the only way to auto-reconnect? I'm just looking the FortiClient to reconnect after a brief network *blip*. Do others here allow users to save their password?
We converted from an ASA and AnyConnect client which handled the reconnect with no issues if a user dropped network briefly. We didn't have to turn on any save password settting(s). Was looking for the same functionality with FortiClient - looks like it may not exist.
I wonder if using SAML login would work to do what we want?
Have you checked this article?
Yea, checked that one too. It actually caused some weird issues where the client would connect for 2sec, then disconnect, then reconnect for 2 sec, then disconnect again. It did this over and over. I had to disable it again.
Now that you mention it, might have been the reason why I stayed on FCT 6.4. I haven't tested 7.0 clients in a while but I seem to remember having similar reconnect issues after 7.0.1.
So, more testing and messing around with it...I got the reconnect to work okay. By enabling the "Save Password" option (which I'm really not crazy about doing), it auto-reconnected the user when their network dropped. It does require them to accept the DUO push notification again, which help me feel a little better.
So when their network drops, the VPN message comes up after about 20-30seconds and says the SSL VPN is down. Once the network comes back up, it does the reconnecting, prompts the user to accept the DUO push, then reconnects with no issue. The only way it will permanently disconnect is 1) Choose Disconnect from the FortiClient console, 2) Shutdown the FortiClient, or 3) to Reboot.
Thanks for all the help.
-David
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1669 | |
1082 | |
752 | |
446 | |
225 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.