Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Arye_R
New Contributor

SSL VPN disconnection due to short network disconnections at home

I have a VPN client that connects from home to our FW, and what happens is that once every half an hour he has a short network drop for a few seconds and when this happens the SSL VPN software disconnects and he has to perform the connection process over again.

Is it possible to extend the duration of the reconnection attempts and the user will not have to type the confirmations again?

8 REPLIES 8
hbac
Staff
Staff

Hi @Arye_R,

 

I would suggest enabling dtls and increase heartbeat timeouts. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-DTLS-to-improve-SSL-VPN-performance/...

 

dtls-hello-timeout                      >>> SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).
dtls-heartbeat-idle-timeout        >>> Idle timeout before DTLS heartbeat is sent.
dtls-heartbeat-interval               >>> Interval between DTLS heartbeat.
dtls-heartbeat-fail-count            >>> Number of missing heartbeats before the connection is considered dropped.

 

Regards, 

Arye_R
New Contributor

I thank you,

Could you direct me more specifically to which line you indicated to refer to ?

 

In addition, will it be possible that some of the commands you brought are not supported in version 7.2.7?
For example:

FW2 (settings) # dtls-heartbeat-fail-count 5
Unknown action 0

hbac

@Arye_R,

 

You need to run 'set' first. For example: 

 

config vpn ssl settings 

set dtls-heartbeat-fail-count 5

end 

 

Regards, 

Arye_R
New Contributor

I tried, but this is the error I get:
FW2 # config vpn ssl settings

FW2 (settings) # set dtls-heartbeat-fail-count 5
command parse error before 'dtls-heartbeat-fail-count'

 

It seems that it does not recognize the command

 

Here are the options it gives me when I do the command set dtls-?

FW2 (settings) # set dtls-
dtls-hello-timeout SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).
dtls-tunnel Enable/disable DTLS to prevent eavesdropping, tampering, or message forgery.
dtls-max-proto-ver DTLS maximum protocol version.
dtls-min-proto-ver DTLS minimum protocol version.

hbac

@Arye_R,

 

It means that command is not available in 7.2.7. You can use 'set dtls-hello-timeout'. 

 

Regards, 

Rajan_kohli
Staff
Staff

Hi @Arye_R,

 

You can use CLI refrence to verify commands supported by FortiOS 7.2.7 for ssl vpn settings
Ref: https://docs.fortinet.com/document/fortigate/7.2.7/cli-reference/319620/config-vpn-ssl-settings

Thanks

Rajan

Rajan Kohli
Dhruvin_patel

Hello @Arye_R

 

It is expected to get disconnected after 6 seconds once there is a network interruption. 

In this case, you can set option always-up, https://docs.fortinet.com/document/forticlient/7.2.3/administration-guide/437773/save-password-auto-...

 

Enabling the "Auto Connect", "Always UP" or "Save Password" options can only be done by editing the FortiClient XML configuration file (on non-managed installations.), https://community.fortinet.com/t5/FortiClient/Technical-Tip-FortiClient-EMS-Auto-connect-a-VPN-Tunne...

 

<show_remember_password>1</show_remember_password>
<show_alwaysup>1</show_alwaysup>
<show_autoconnect>1</show_autoconnect>

 

The same settings should be enabled under FW VPN portal settings or else it will keep prompting every time you login to your machine.

 

set auto-connect enable
set keep-alive enable
set save-password enable

 

Regards!

If you have found a solution, please like and accept it to make it easily accessible to others.

Dhruvin Patel
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors