Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Spidler
New Contributor III

SSLVPN and RDP disconnects

Hey folks,

 

Ever since upgrading my 200D to 6.0.5 (now 6.0.9) when using the FC to connect to the SSL VPN, I have constant disconnects with Outlook and RDP sessions. Pings never fail or timeout, but I get disconnected from my RDP sessions every minute or so, making it completely unusable.

I have a ticket open with support, but honestly, they seem to be dragging their feet. Anyone else seen this behavior and figured out a solution? I have 150 users about to be forced to WFH and this is completely unacceptable. The only work-around I've found is using an IPSEC connection, but that's not realistic. 

1 Solution
Spidler
New Contributor III

I updated the fw on Saturday morning. I've had zero issues in the last 30 hours. More importantly, no disconnects of authenticated traffic - https, mapi, rdp, etc. It solved our issues, but I hate running an interim build on what is essentially the brain stem of my network.

View solution in original post

27 REPLIES 27
Toshi_Esumi
Esteemed Contributor III

At least 6.0.9 has a known issue with drops over ssl vpn, which I posted on this forum about a month ago. They (TAC) said it would be fixed in 6.0.10. However, our case might be different because we didn't have the RDP disconnect over SSL VPN (dropped almost everytime a user tried to RDP into a server after SSL VPN came up) problem with 6.0.6.

Spidler
New Contributor III

I spoke to an engineer this morning and they've slipped me a pre-GA copy of 6.0.10 to try out. I'll be installing it tomorrow morning, so I'll report back then as to the results.

Bitman
New Contributor II

Hey Spidler,

Found this thread while searching for a similar issue. We too are sometimes experiencing RDP freeze and disconnections at 5-10 min interval. FC connection is stable, no disconnect, ping is good. Our Fortigate model is 80E on 6.0.7.

This is not always happening. I sometimes experience this behavior when connecting at night. Another user reported having the issue this morning, but this afternoon everything runs smoothly.

I found this KB ( https://kb.fortinet.com/kb/documentLink.do?externalID=FD46182) which describe a similar problem, but It does not apply to our setup.

 

I will wait for your report on your test result with 6.0.10.

shsheikh
New Contributor II

They specifically mention SSLVPN + RDP, but we've noticed it happens with other programs, like Dynamics NAV and our RDS environment (which, I know, is basically RDP).

 

Luckily after some split-brain DNS implementation, we can point SSLVPN users to the public RemoteApp farm address and thus bypass the SSLVPN for that traffic. NAV still disconnects, but we put it in as a RemoteApp so users can launch that if they need to work remotely.

 

It's a pretty big bug, imo, made worse by the current WfH push and I'm surprised it hasn't been quickly patched.

Spidler
New Contributor III

I updated the fw on Saturday morning. I've had zero issues in the last 30 hours. More importantly, no disconnects of authenticated traffic - https, mapi, rdp, etc. It solved our issues, but I hate running an interim build on what is essentially the brain stem of my network.
shsheikh
New Contributor II

That's encouraging news! I don't think I could get us to run pre-release software, but if things take off, it's possible.

 

Did the session drop issue occur just over SSLVPN? We are in the middle of migrating more services to FortiGate, and currently routing and firewalling between segments is handled by another device. If we switch and still run 6.0.9, is there a chance sessions would be dropped even internally, or have you only seen it hit SSLVPN users?

Spidler
New Contributor III

The drop-outs ONLY occurred when using the Forticlient for an SSL VPN connection. I tried with a quick IPSEC tunnel I built out and that was stable with no disconnects. We use ther 200D to terminate our site-to-site MPLS and IPSEC backup VPN tunnels and haven't had any issues with connectivity. The only problem was the SSLVPN connections.

mrgv
New Contributor

Hello Spidler,

 

Is build8661, the pre-GA copy of 6.0.10 that TAC gave you? We are about to deploy a 400E and we are looking for the best option that could give us reliable RDP connectivity over SSL VPN.

Spidler
New Contributor III

Actually, no. I got this build: FGT_200D-v6-build0358-FORTINET

 

On my 200D it shows as: v6.0.0 build0358 (interim)

 

Which is, of course, wildly inaccurate in terms of how it displays it's version and build. The 6.0.0 weirded me out a bit, but seeing as how 6.0.9 is build0335, I feel ok with that discrepancy  

Labels
Top Kudoed Authors