Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BensonLEI
Contributor

SSLVPN idle-timer not working

Hi, guys,

 

It has been frustrated about this configuration; the sslvpn idle-timer is still not working.

 

I configured all related parameters/attributes as the following weblink:

Technical Tip: SSL-VPN Idle-timeout not working

 

 

My network configuration as below:

1.  Fortigate 100E with FortiOS v7.2.4.

1.1. SSLVPN Client DNS same as Client

1.2. SSLVPN idle-timeout 300

2. FortiClient VPN v7.0.8.xxx

3. Windows 10 home

3.1. "SSDP Discovery" is disabled

3.2  "LLMNR" is disabled

 

 But the SSLPVN idle-timer is still working, any recommendation, many thanks ?

 

With regards

Benson

1 Solution
Toshi_Esumi
Esteemed Contributor III

Those are multicast traffic Windows/Mac or whatever the OS is and applications/drivers running on the OS are sending on network interfaces (239.255.255.250 is for Upnp(Universal Plug and Play)). So if you want to stop them, you have to do something on the client machine side. But you might not be able to.

I don't know if there is a way to exclude multicast packets at least from the counter's counting for "idle-timer". Wait for somebody else's comment who knows about it.

 

Toshi

View solution in original post

10 REPLIES 10
srajeswaran
Staff
Staff

Can you run "diag sniffer packet <SSL interface name> none 1 100 ", this will help us to understand if there are any traffic coming to the firewall/tunnel.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Muhammad_Haiqal

Hi @BensonLEI ,

I can see the idle-timeout set to 300 which equal to 5 minutes.
Idle means no traffic passing through for 5 minutes and connection will cut off.
If you keep pinging or application running, this idle-timeout will keep reset and the connection will not cut off.

haiqal
BensonLEI

Hi, guys,

 

I captured some packets as below ( the Fortigate is HA structure ).

1. no udp traffic between the sslvpn client and Fortigate.

2. no any. udp/tcp traffic for tunnel ip = 10.212.200.101 (sslvpn client, only this ip was assigned)

3. only sslvpn connection was setup, nothing/no traffic created during the test.

4. only the following udp traffic ( Fortigate to internet DNS server )

5. tcp traffic between client and Fortigate ( around sslvpn idle-timer is triggered )

 

======================================

 

1. Fortigate and SSLVPN port number ( IP is modified):

     11.11.11.196.8443

2. Client IP and port numbers (IP is modified):

     30.30.30.63.52920

 


12.919285 11.11.11.196.3272 -> 8.8.4.4.53: udp 27
12.923317 8.8.4.4.53 -> 11.11.11.196.3272: udp 43


13.903860 11.11.11.195.1985 -> 224.0.0.102.1985: udp 6
14.662941 11.11.11.195.1985 -> 224.0.0.102.1985: udp 52

12.187019 11.11.11.195.1985 -> 224.0.0.102.1985: udp 52
12.402446 arp who-has 11.11.11.206 tell 11.11.11.194


12.824121 11.11.11.194.1985 -> 224.0.0.102.1985: udp 52
12.919285 11.11.11.196.3272 -> 8.8.4.4.53: udp 27
12.923317 8.8.4.4.53 -> 11.11.11.196.3272: udp 43

 


7.828804 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112006064
7.844414 30.30.30.63.52920 -> 11.11.11.196.8443: ack 1828445224
8.413796 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112006064 ack 1828445224
8.413858 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112006172
8.417689 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112006172 ack 1828445224
8.417725 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112006532
8.469856 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112006532 ack 1828445224
8.469904 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112006640
8.557722 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112006640 ack 1828445224
8.557762 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112006758
8.558681 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112006758 ack 1828445224
8.558718 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112006898
8.573248 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112006898 ack 1828445224
8.573296 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112007016
8.573685 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112007016 ack 1828445224
8.573721 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112007156
8.592412 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112007156 ack 1828445224
8.592455 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112007264
8.798434 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112007264 ack 1828445224
8.798486 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112007372
8.811804 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112007372 ack 1828445224
8.811858 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112007480
8.813601 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112007480 ack 1828445224
8.813640 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112007598
8.814163 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112007598 ack 1828445224
8.814201 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112007738
8.815966 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112007738 ack 1828445224
8.816003 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112007856
8.816368 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112007856 ack 1828445224
8.816402 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112007996
8.817030 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112007996 ack 1828445224
8.817061 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112008108

9.092496 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112008108 ack 1828445224
9.092548 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112008216

9.307006 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112008216 ack 1828445224
9.307055 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112008324

 

May I know if any type of traffic I shall notice ( epescially the traffic beween idle-timer exipres ? ),

Aslo, may I know what is the 224.0.0.102, multicast IP bewteen Fortigate HA ? thx a lot

BensonLEI

Hi,Haiqal,

Noted with thanks; for my test, I just set up the sslvpn connection ( with no other network traffic test - ping, traceroute, http.. ), and then waited until sslvpn idle-timer expired. 

 

Toshi_Esumi
Esteemed Contributor III

First, an SSL VPN is a tunnel encapsulated in TCP port 443(default) and in your case you set port 8443. And inside the tunnel the packets are encrypted with TLS. If you sniff traffic on the egress interface you wouldn't be able to see any meaningful traffic. You have to sniff at ssl.root interface.

Also if you're not set split-tunnel, the idle timer might not time out.

I'm not sure about the use of 224.0.0.102 but that would be a different question unrelated to SSL VPN, which you should open a separate thread then ask there.

 

Toshi

BensonLEI

Hi, Toshi,

 

Thanks so much for your reply, 

attached is the my test result, that may show you a bit clear:

1. tunnel IP

2. no tunnel traffic received ( that should be clear enough to verify the sslvpn idle-timer )

SSLVPN idle-timer result 2023-05-25 02.PNG

 

Other SSLVPN settings:

--------------------------------

 

02DC_Ftg100E_primary (full-access) # get
name : full-access
tunnel-mode : enable
ipv6-tunnel-mode : enable
web-mode : disable
allow-user-access : web ftp smb sftp telnet ssh vnc rdp ping
limit-user-logins : enable
forticlient-download: enable
ip-mode : range
auto-connect : disable
keep-alive : disable
save-password : disable
ip-pools : "SSLVPN_TUNNEL_ADDR1"
split-tunneling : enable
split-tunneling-routing-negate: disable
split-tunneling-routing-address: "10.21.21.23_os5"
dns-server1 : 0.0.0.0
dns-server2 : 0.0.0.0
dns-suffix :
wins-server1 : 0.0.0.0
wins-server2 : 0.0.0.0
dhcp-ra-giaddr : 0.0.0.0
ipv6-pools : "SSLVPN_TUNNEL_IPv6_ADDR1"
ipv6-split-tunneling: enable
ipv6-split-tunneling-routing-negate: disable
ipv6-split-tunneling-routing-address:
ipv6-dns-server1 : ::
ipv6-dns-server2 : ::
ipv6-wins-server1 : ::
ipv6-wins-server2 : ::
dhcp6-ra-linkaddr : ::
client-src-range : disable
host-check : none
mac-addr-check : disable
os-check : disable
forticlient-download-method: direct
customize-forticlient-download-url: disable
split-dns:

 

===============================================

If I need to disable IPv6 ( not much useful to us at present ) ?

any other attribute/parameter I can adjust ( or fine-tuned ), thx ?

Toshi_Esumi
Esteemed Contributor III

So you have set traffic only destined to "10.21.21.23_os5" to come over the tunnel. Unless that host/subnet is for DNS servers or something your client machine constantly accesses to, there shouldn't be any traffic to come over. I would sniff like

    diag sniffer packet ssl.root 'host 10.201.134.201'

while waiting for the idle-timer to time out.

 

You're ipv6 setting is also split-tunnel and no routing-address is set. So even the client machine's ipv6 is enabled, no routes should be pointing to the tunnel. So I wouldn't worry about it.

 

Toshi

BensonLEI

Hi, Toshi,

 

You are correct, the following udp traffic is captured from the tunnel IP:

02DC_Ftg100E_primary # diag sniffer packet ssl.root 'host 10.212.134.202'4 0 a

interfaces=[any]
filters=[host 10.212.134.202]
2023-05-25 04:26:23.318327 ssl.root in 10.212.134.202.60693 -> 239.255.255.250.1900: udp 175
2023-05-25 04:26:23.374090 ssl.root in 10.212.134.202.60695 -> 239.255.255.250.1900: udp 175
2023-05-25 04:26:23.374512 ssl.root in 10.212.134.202.60697 -> 239.255.255.250.1900: udp 175
2023-05-25 04:26:24.316802 ssl.root in 10.212.134.202.60693 -> 239.255.255.250.1900: udp 175
2023-05-25 04:26:24.374990 ssl.root in 10.212.134.202.60697 -> 239.255.255.250.1900: udp 175
2023-05-25 04:26:24.375815 ssl.root in 10.212.134.202.60695 -> 239.255.255.250.1900: udp 175
2023-05-25 04:26:25.317417 ssl.root in 10.212.134.202.60693 -> 239.255.255.250.1900: udp 175
2023-05-25 04:26:25.375484 ssl.root in 10.212.134.202.60697 -> 239.255.255.250.1900: udp 175
2023-05-25 04:26:25.377344 ssl.root in 10.212.134.202.60695 -> 239.255.255.250.1900: udp 175
2023-05-25 04:26:26.318105 ssl.root in 10.212.134.202.60693 -> 239.255.255.250.1900: udp 175
2023-05-25 04:26:26.376211 ssl.root in 10.212.134.202.60697 -> 239.255.255.250.1900: udp 175
2023-05-25 04:26:26.377829 ssl.root in 10.212.134.202.60695 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:23.342656 ssl.root in 10.212.134.202.64693 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:23.400558 ssl.root in 10.212.134.202.64695 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:23.401579 ssl.root in 10.212.134.202.64697 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:24.345415 ssl.root in 10.212.134.202.64693 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:24.401722 ssl.root in 10.212.134.202.64695 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:24.402713 ssl.root in 10.212.134.202.64697 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:25.345712 ssl.root in 10.212.134.202.64693 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:25.403307 ssl.root in 10.212.134.202.64695 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:25.405073 ssl.root in 10.212.134.202.64697 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:26.347792 ssl.root in 10.212.134.202.64693 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:26.404163 ssl.root in 10.212.134.202.64695 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:26.406009 ssl.root in 10.212.134.202.64697 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:23.363645 ssl.root in 10.212.134.202.64707 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:23.422440 ssl.root in 10.212.134.202.64709 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:23.422934 ssl.root in 10.212.134.202.64711 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:24.366036 ssl.root in 10.212.134.202.64707 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:24.424434 ssl.root in 10.212.134.202.64709 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:24.424513 ssl.root in 10.212.134.202.64711 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:25.365778 ssl.root in 10.212.134.202.64707 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:25.425517 ssl.root in 10.212.134.202.64711 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:25.425602 ssl.root in 10.212.134.202.64709 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:26.367383 ssl.root in 10.212.134.202.64707 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:26.425811 ssl.root in 10.212.134.202.64711 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:26.425884 ssl.root in 10.212.134.202.64709 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:23.373149 ssl.root in 10.212.134.202.54703 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:23.430340 ssl.root in 10.212.134.202.54705 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:23.432190 ssl.root in 10.212.134.202.54707 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:24.375415 ssl.root in 10.212.134.202.54703 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:24.432739 ssl.root in 10.212.134.202.54705 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:24.433479 ssl.root in 10.212.134.202.54707 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:25.375026 ssl.root in 10.212.134.202.54703 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:25.433628 ssl.root in 10.212.134.202.54705 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:25.434514 ssl.root in 10.212.134.202.54707 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:26.376326 ssl.root in 10.212.134.202.54703 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:26.434060 ssl.root in 10.212.134.202.54705 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:26.435349 ssl.root in 10.212.134.202.54707 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:23.382308 ssl.root in 10.212.134.202.52314 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:23.438234 ssl.root in 10.212.134.202.52316 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:23.442149 ssl.root in 10.212.134.202.52318 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:24.383899 ssl.root in 10.212.134.202.52314 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:24.440239 ssl.root in 10.212.134.202.52316 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:24.443586 ssl.root in 10.212.134.202.52318 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:25.383765 ssl.root in 10.212.134.202.52314 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:25.441233 ssl.root in 10.212.134.202.52316 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:25.445028 ssl.root in 10.212.134.202.52318 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:26.384452 ssl.root in 10.212.134.202.52314 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:26.441910 ssl.root in 10.212.134.202.52316 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:26.445907 ssl.root in 10.212.134.202.52318 -> 239.255.255.250.1900: udp 175

 

I have sniffed more than 5 minutes as shown. 

 

If I am right or not ( please correct me if anything wrong ), I found this article as below ( 239.255.255.250.1900: udp 175 ---> SSDP is HTTP like protocol )

https://wiki.wireshark.org/ssdp

 

I disabled the "web-access" mode in Fortigate SSLVPN configuration, so the "239.255.255.250.1900: udp 175" should not be valid/useful for sslvpn idle-timer ?

and also this service "SSDP discovery" is disabled on SSL client ( windows 10)

 

 

Toshi_Esumi
Esteemed Contributor III

Those are multicast traffic Windows/Mac or whatever the OS is and applications/drivers running on the OS are sending on network interfaces (239.255.255.250 is for Upnp(Universal Plug and Play)). So if you want to stop them, you have to do something on the client machine side. But you might not be able to.

I don't know if there is a way to exclude multicast packets at least from the counter's counting for "idle-timer". Wait for somebody else's comment who knows about it.

 

Toshi

Labels
Top Kudoed Authors