SSL VPN disconnection due to short network disconnections at home

Arye_R · ‎03-01-2024

I have a VPN client that connects from home to our FW, and what happens is that once every half an hour he has a short network drop for a few seconds and when this happens the SSL VPN software disconnects and he has to perform the connection process over again.

Is it possible to extend the duration of the reconnection attempts and the user will not have to type the confirmations again?

spoojary · ‎03-01-2024

https://docs.fortinet.com/document/fortiauthenticator/6.5.0/cookbook/306162/increasing-remote-authen... increase the remote timeout as well as increase https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-connection-logout-after-8-hours/ta...

Siddhanth Poojary

hbac · ‎03-01-2024

Hi @Arye_R,

I would suggest enabling dtls and increase heartbeat timeouts. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-DTLS-to-improve-SSL-VPN-performance/...

dtls-hello-timeout >>> SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).
dtls-heartbeat-idle-timeout >>> Idle timeout before DTLS heartbeat is sent.
dtls-heartbeat-interval >>> Interval between DTLS heartbeat.
dtls-heartbeat-fail-count >>> Number of missing heartbeats before the connection is considered dropped.

Regards,

Arye_R · ‎03-03-2024

I thank you,

Could you direct me more specifically to which line you indicated to refer to ?

In addition, will it be possible that some of the commands you brought are not supported in version 7.2.7?
For example:

FW2 (settings) # dtls-heartbeat-fail-count 5
Unknown action 0

hbac · ‎03-04-2024

@Arye_R,

You need to run 'set' first. For example:

config vpn ssl settings

set dtls-heartbeat-fail-count 5

end

Regards,

Arye_R · ‎03-05-2024

I tried, but this is the error I get:
FW2 # config vpn ssl settings

FW2 (settings) # set dtls-heartbeat-fail-count 5
command parse error before 'dtls-heartbeat-fail-count'

It seems that it does not recognize the command

Here are the options it gives me when I do the command set dtls-?

FW2 (settings) # set dtls-
dtls-hello-timeout SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).
dtls-tunnel Enable/disable DTLS to prevent eavesdropping, tampering, or message forgery.
dtls-max-proto-ver DTLS maximum protocol version.
dtls-min-proto-ver DTLS minimum protocol version.

hbac · ‎03-05-2024

@Arye_R,

It means that command is not available in 7.2.7. You can use 'set dtls-hello-timeout'.

Regards,

Rajan_kohli · ‎03-03-2024

Hi @Arye_R,

You can use CLI refrence to verify commands supported by FortiOS 7.2.7 for ssl vpn settings
Ref: https://docs.fortinet.com/document/fortigate/7.2.7/cli-reference/319620/config-vpn-ssl-settings

Thanks

Rajan

Rajan Kohli

Dhruvin_patel · ‎03-03-2024

Hello @Arye_R

It is expected to get disconnected after 6 seconds once there is a network interruption.

In this case, you can set option always-up, https://docs.fortinet.com/document/forticlient/7.2.3/administration-guide/437773/save-password-auto-...

Enabling the "Auto Connect", "Always UP" or "Save Password" options can only be done by editing the FortiClient XML configuration file (on non-managed installations.), https://community.fortinet.com/t5/FortiClient/Technical-Tip-FortiClient-EMS-Auto-connect-a-VPN-Tunne...

<show_remember_password>1</show_remember_password>
<show_alwaysup>1</show_alwaysup>
<show_autoconnect>1</show_autoconnect>

The same settings should be enabled under FW VPN portal settings or else it will keep prompting every time you login to your machine.

set auto-connect enable
set keep-alive enable
set save-password enable

Regards!

If you have found a solution, please like and accept it to make it easily accessible to others.

Dhruvin Patel

SSL VPN disconnection due to short network disconnections at home

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website