Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
david_ekstrom
New Contributor II

SSL VPN Not auto-reconnecting

We are having an issue with our FortiClient users not reconnecting after a brief network drop on their home internet.  If they have a quick drop, we measured it at about 10sec, the VPN will reconnect/stay alive.  But if they drop their internet for more than that it prompts them to login again.  This causes issues with open files on the network shares and is inconvenient to the enduser.

 

I believe we have the auto reconnect setup properly in the FortiClient EMS Cloud (needed to modify XML according to Fortinet support) and we have the FortiGate 200E setup to allow the auto reconnect.

 

I've searched and searched for a solution but haven't been able to resolve it.  I should note that we are using DUO for MFA, not sure if that is a factor in it.

 

Asking for any insight.  I've included the current SSL settings on the firewall.

 

Thanks,

David

 

FortiOS 7.0.9

FortiClient 7.0.7

FortiGate 200E


# config vpn ssl setting

(settings) # get


status : enable
reqclientcert : disable
ssl-max-proto-ver : tls1-3
ssl-min-proto-ver : tls1-1
banned-cipher :
ciphersuite : TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
ssl-insert-empty-fragment: enable
https-redirect : disable
x-content-type-options: enable
ssl-client-renegotiation: disable
force-two-factor-auth: disable
servercert : <*removed for security*>
algorithm : high
idle-timeout : 28800
auth-timeout : 79200
login-attempt-limit : 2
login-block-time : 60
login-timeout : 30
dtls-hello-timeout : 30
tunnel-ip-pools : "SSLVPN_TUNNEL_ADDR1"
tunnel-ipv6-pools : "SSLVPN_TUNNEL_IPv6_ADDR1"
dns-suffix : mfbonline.com
dns-server1 : <*removed for security*>
dns-server2 : <*removed for security*>
wins-server1 : 0.0.0.0
wins-server2 : 0.0.0.0
ipv6-dns-server1 : ::
ipv6-dns-server2 : ::
ipv6-wins-server1 : ::
ipv6-wins-server2 : ::
url-obscuration : disable
http-compression : disable
http-only-cookie : enable
port : <*removed for security*>
port-precedence : enable
auto-tunnel-static-route: enable
header-x-forwarded-for: add
source-interface : "WAN"
source-address : "US_ONLY"
source-address-negate: disable
source-address6 :
source-address6-negate: disable
default-portal : web-access
authentication-rule:
== [ 1 ]
id: 1
dtls-tunnel : enable
check-referer : disable
http-request-header-timeout: 20
http-request-body-timeout: 30
auth-session-check-source-ip: enable
tunnel-connect-without-reauth: disable
hsts-include-subdomains: disable
transform-backward-slashes: disable
encode-2f-sequence : disable
encrypt-and-store-password: disable
client-sigalgs : all
dual-stack-mode : disable
tunnel-addr-assigned-method: first-available
saml-redirect-port : <*removed for security*>
web-mode-snat : disable
dtls-max-proto-ver : dtls1-2
dtls-min-proto-ver : dtls1-0

 

2 Solutions
FortiMax_it
Contributor

Hi, look in these two documents for the "Always Up (Keep Alive)" feature. It must be enabled on both Fortigate and ForticlientEMS side:

https://docs.fortinet.com/document/forticlient/7.0.7/ems-administration-guide
https://docs.fortinet.com/document/forticlient/7.0.7/xml-reference-guide

 

FortiMax_it_0-1673801490583.png

 

View solution in original post

david_ekstrom
New Contributor II

So, more testing and messing around with it...I got the reconnect to work okay.  By enabling the "Save Password" option (which I'm really not crazy about doing), it auto-reconnected the user when their network dropped.  It does require them to accept the DUO push notification again, which help me feel a little better.

 

So when their network drops, the VPN message comes up after about 20-30seconds and says the SSL VPN is down.  Once the network comes back up, it does the reconnecting, prompts the user to accept the DUO push, then reconnects with no issue.  The only way it will permanently disconnect is 1) Choose Disconnect from the FortiClient console, 2) Shutdown the FortiClient, or 3) to Reboot.  

 

Thanks for all the help.

-David

View solution in original post

7 REPLIES 7
Anonymous
Not applicable

FortiMax_it
Contributor

Hi, look in these two documents for the "Always Up (Keep Alive)" feature. It must be enabled on both Fortigate and ForticlientEMS side:

https://docs.fortinet.com/document/forticlient/7.0.7/ems-administration-guide
https://docs.fortinet.com/document/forticlient/7.0.7/xml-reference-guide

 

FortiMax_it_0-1673801490583.png

 

david_ekstrom
New Contributor II

Yea, I've looked at those docs.  The only setting on EMS that I don't have set is the Save Password option.  I wasn't keen on allowing users to save their password for the VPN.  Seems to be a possible security hole.  Is that really the only way to auto-reconnect?  I'm just looking the FortiClient to reconnect after a brief network *blip*.  Do others here allow users to save their password?

 

We converted from an ASA and AnyConnect client which handled the reconnect with no issues if a user dropped network briefly.  We didn't have to turn on any save password settting(s).  Was looking for the same functionality with FortiClient - looks like it may not exist.

 

I wonder if using SAML login would work to do what we want?  

dfish85
New Contributor III

david_ekstrom

Yea, checked that one too.  It actually caused some weird issues where the client would connect for 2sec, then disconnect, then reconnect for 2 sec, then disconnect again.  It did this over and over.  I had to disable it again.

dfish85
New Contributor III

Now that you mention it, might have been the reason why I stayed on FCT 6.4.  I haven't tested 7.0 clients in a while but I seem to remember having similar reconnect issues after 7.0.1.

david_ekstrom
New Contributor II

So, more testing and messing around with it...I got the reconnect to work okay.  By enabling the "Save Password" option (which I'm really not crazy about doing), it auto-reconnected the user when their network dropped.  It does require them to accept the DUO push notification again, which help me feel a little better.

 

So when their network drops, the VPN message comes up after about 20-30seconds and says the SSL VPN is down.  Once the network comes back up, it does the reconnecting, prompts the user to accept the DUO push, then reconnects with no issue.  The only way it will permanently disconnect is 1) Choose Disconnect from the FortiClient console, 2) Shutdown the FortiClient, or 3) to Reboot.  

 

Thanks for all the help.

-David

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors