I have a VPN client that connects from home to our FW, and what happens is that once every half an hour he has a short network drop for a few seconds and when this happens the SSL VPN software disconnects and he has to perform the connection process over again.
Is it possible to extend the duration of the reconnection attempts and the user will not have to type the confirmations again?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
https://docs.fortinet.com/document/fortiauthenticator/6.5.0/cookbook/306162/increasing-remote-authen... increase the remote timeout as well as increase https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-connection-logout-after-8-hours/ta...
Hi @Arye_R,
I would suggest enabling dtls and increase heartbeat timeouts. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-DTLS-to-improve-SSL-VPN-performance/...
dtls-hello-timeout >>> SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).
dtls-heartbeat-idle-timeout >>> Idle timeout before DTLS heartbeat is sent.
dtls-heartbeat-interval >>> Interval between DTLS heartbeat.
dtls-heartbeat-fail-count >>> Number of missing heartbeats before the connection is considered dropped.
Regards,
Created on 03-03-2024 06:04 AM Edited on 03-03-2024 06:22 AM
I thank you,
Could you direct me more specifically to which line you indicated to refer to ?
In addition, will it be possible that some of the commands you brought are not supported in version 7.2.7?
For example:
FW2 (settings) # dtls-heartbeat-fail-count 5
Unknown action 0
You need to run 'set' first. For example:
config vpn ssl settings
set dtls-heartbeat-fail-count 5
end
Regards,
Created on 03-05-2024 05:33 AM Edited on 03-05-2024 05:36 AM
I tried, but this is the error I get:
FW2 # config vpn ssl settings
FW2 (settings) # set dtls-heartbeat-fail-count 5
command parse error before 'dtls-heartbeat-fail-count'
It seems that it does not recognize the command
Here are the options it gives me when I do the command set dtls-?
FW2 (settings) # set dtls-
dtls-hello-timeout SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).
dtls-tunnel Enable/disable DTLS to prevent eavesdropping, tampering, or message forgery.
dtls-max-proto-ver DTLS maximum protocol version.
dtls-min-proto-ver DTLS minimum protocol version.
It means that command is not available in 7.2.7. You can use 'set dtls-hello-timeout'.
Regards,
Hi @Arye_R,
You can use CLI refrence to verify commands supported by FortiOS 7.2.7 for ssl vpn settings
Ref: https://docs.fortinet.com/document/fortigate/7.2.7/cli-reference/319620/config-vpn-ssl-settings
Thanks
Rajan
Hello @Arye_R
It is expected to get disconnected after 6 seconds once there is a network interruption.
In this case, you can set option always-up, https://docs.fortinet.com/document/forticlient/7.2.3/administration-guide/437773/save-password-auto-...
<show_remember_password>1</show_remember_password>
<show_alwaysup>1</show_alwaysup>
<show_autoconnect>1</show_autoconnect>
The same settings should be enabled under FW VPN portal settings or else it will keep prompting every time you login to your machine.
set auto-connect enable
set keep-alive enable
set save-password enable
Regards!
If you have found a solution, please like and accept it to make it easily accessible to others.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.