Hi, guys,
It has been frustrated about this configuration; the sslvpn idle-timer is still not working.
I configured all related parameters/attributes as the following weblink:
Technical Tip: SSL-VPN Idle-timeout not working
My network configuration as below:
1. Fortigate 100E with FortiOS v7.2.4.
1.1. SSLVPN Client DNS same as Client
1.2. SSLVPN idle-timeout 300
2. FortiClient VPN v7.0.8.xxx
3. Windows 10 home
3.1. "SSDP Discovery" is disabled
3.2 "LLMNR" is disabled
But the SSLPVN idle-timer is still working, any recommendation, many thanks ?
With regards
Benson
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Those are multicast traffic Windows/Mac or whatever the OS is and applications/drivers running on the OS are sending on network interfaces (239.255.255.250 is for Upnp(Universal Plug and Play)). So if you want to stop them, you have to do something on the client machine side. But you might not be able to.
I don't know if there is a way to exclude multicast packets at least from the counter's counting for "idle-timer". Wait for somebody else's comment who knows about it.
Toshi
Can you run "diag sniffer packet <SSL interface name> none 1 100 ", this will help us to understand if there are any traffic coming to the firewall/tunnel.
Hi @BensonLEI ,
I can see the idle-timeout set to 300 which equal to 5 minutes.
Idle means no traffic passing through for 5 minutes and connection will cut off.
If you keep pinging or application running, this idle-timeout will keep reset and the connection will not cut off.
Created on 05-24-2023 01:47 AM Edited on 05-24-2023 01:58 AM
Hi, guys,
I captured some packets as below ( the Fortigate is HA structure ).
1. no udp traffic between the sslvpn client and Fortigate.
2. no any. udp/tcp traffic for tunnel ip = 10.212.200.101 (sslvpn client, only this ip was assigned)
3. only sslvpn connection was setup, nothing/no traffic created during the test.
4. only the following udp traffic ( Fortigate to internet DNS server )
5. tcp traffic between client and Fortigate ( around sslvpn idle-timer is triggered )
======================================
1. Fortigate and SSLVPN port number ( IP is modified):
11.11.11.196.8443
2. Client IP and port numbers (IP is modified):
30.30.30.63.52920
12.919285 11.11.11.196.3272 -> 8.8.4.4.53: udp 27
12.923317 8.8.4.4.53 -> 11.11.11.196.3272: udp 43
13.903860 11.11.11.195.1985 -> 224.0.0.102.1985: udp 6
14.662941 11.11.11.195.1985 -> 224.0.0.102.1985: udp 52
12.187019 11.11.11.195.1985 -> 224.0.0.102.1985: udp 52
12.402446 arp who-has 11.11.11.206 tell 11.11.11.194
12.824121 11.11.11.194.1985 -> 224.0.0.102.1985: udp 52
12.919285 11.11.11.196.3272 -> 8.8.4.4.53: udp 27
12.923317 8.8.4.4.53 -> 11.11.11.196.3272: udp 43
7.828804 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112006064
7.844414 30.30.30.63.52920 -> 11.11.11.196.8443: ack 1828445224
8.413796 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112006064 ack 1828445224
8.413858 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112006172
8.417689 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112006172 ack 1828445224
8.417725 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112006532
8.469856 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112006532 ack 1828445224
8.469904 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112006640
8.557722 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112006640 ack 1828445224
8.557762 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112006758
8.558681 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112006758 ack 1828445224
8.558718 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112006898
8.573248 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112006898 ack 1828445224
8.573296 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112007016
8.573685 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112007016 ack 1828445224
8.573721 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112007156
8.592412 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112007156 ack 1828445224
8.592455 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112007264
8.798434 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112007264 ack 1828445224
8.798486 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112007372
8.811804 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112007372 ack 1828445224
8.811858 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112007480
8.813601 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112007480 ack 1828445224
8.813640 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112007598
8.814163 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112007598 ack 1828445224
8.814201 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112007738
8.815966 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112007738 ack 1828445224
8.816003 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112007856
8.816368 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112007856 ack 1828445224
8.816402 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112007996
8.817030 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112007996 ack 1828445224
8.817061 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112008108
9.092496 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112008108 ack 1828445224
9.092548 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112008216
9.307006 30.30.30.63.52920 -> 11.11.11.196.8443: psh 3112008216 ack 1828445224
9.307055 11.11.11.196.8443 -> 30.30.30.63.52920: ack 3112008324
May I know if any type of traffic I shall notice ( epescially the traffic beween idle-timer exipres ? ),
Aslo, may I know what is the 224.0.0.102, multicast IP bewteen Fortigate HA ? thx a lot
Hi,Haiqal,
Noted with thanks; for my test, I just set up the sslvpn connection ( with no other network traffic test - ping, traceroute, http.. ), and then waited until sslvpn idle-timer expired.
First, an SSL VPN is a tunnel encapsulated in TCP port 443(default) and in your case you set port 8443. And inside the tunnel the packets are encrypted with TLS. If you sniff traffic on the egress interface you wouldn't be able to see any meaningful traffic. You have to sniff at ssl.root interface.
Also if you're not set split-tunnel, the idle timer might not time out.
I'm not sure about the use of 224.0.0.102 but that would be a different question unrelated to SSL VPN, which you should open a separate thread then ask there.
Toshi
Created on 05-24-2023 07:24 PM Edited on 05-24-2023 07:46 PM
Hi, Toshi,
Thanks so much for your reply,
attached is the my test result, that may show you a bit clear:
1. tunnel IP
2. no tunnel traffic received ( that should be clear enough to verify the sslvpn idle-timer )
Other SSLVPN settings:
--------------------------------
02DC_Ftg100E_primary (full-access) # get
name : full-access
tunnel-mode : enable
ipv6-tunnel-mode : enable
web-mode : disable
allow-user-access : web ftp smb sftp telnet ssh vnc rdp ping
limit-user-logins : enable
forticlient-download: enable
ip-mode : range
auto-connect : disable
keep-alive : disable
save-password : disable
ip-pools : "SSLVPN_TUNNEL_ADDR1"
split-tunneling : enable
split-tunneling-routing-negate: disable
split-tunneling-routing-address: "10.21.21.23_os5"
dns-server1 : 0.0.0.0
dns-server2 : 0.0.0.0
dns-suffix :
wins-server1 : 0.0.0.0
wins-server2 : 0.0.0.0
dhcp-ra-giaddr : 0.0.0.0
ipv6-pools : "SSLVPN_TUNNEL_IPv6_ADDR1"
ipv6-split-tunneling: enable
ipv6-split-tunneling-routing-negate: disable
ipv6-split-tunneling-routing-address:
ipv6-dns-server1 : ::
ipv6-dns-server2 : ::
ipv6-wins-server1 : ::
ipv6-wins-server2 : ::
dhcp6-ra-linkaddr : ::
client-src-range : disable
host-check : none
mac-addr-check : disable
os-check : disable
forticlient-download-method: direct
customize-forticlient-download-url: disable
split-dns:
===============================================
If I need to disable IPv6 ( not much useful to us at present ) ?
any other attribute/parameter I can adjust ( or fine-tuned ), thx ?
So you have set traffic only destined to "10.21.21.23_os5" to come over the tunnel. Unless that host/subnet is for DNS servers or something your client machine constantly accesses to, there shouldn't be any traffic to come over. I would sniff like
diag sniffer packet ssl.root 'host 10.201.134.201'
while waiting for the idle-timer to time out.
You're ipv6 setting is also split-tunnel and no routing-address is set. So even the client machine's ipv6 is enabled, no routes should be pointing to the tunnel. So I wouldn't worry about it.
Toshi
Created on 05-24-2023 08:55 PM Edited on 05-24-2023 10:14 PM
Hi, Toshi,
You are correct, the following udp traffic is captured from the tunnel IP:
02DC_Ftg100E_primary # diag sniffer packet ssl.root 'host 10.212.134.202'4 0 a
interfaces=[any]
filters=[host 10.212.134.202]
2023-05-25 04:26:23.318327 ssl.root in 10.212.134.202.60693 -> 239.255.255.250.1900: udp 175
2023-05-25 04:26:23.374090 ssl.root in 10.212.134.202.60695 -> 239.255.255.250.1900: udp 175
2023-05-25 04:26:23.374512 ssl.root in 10.212.134.202.60697 -> 239.255.255.250.1900: udp 175
2023-05-25 04:26:24.316802 ssl.root in 10.212.134.202.60693 -> 239.255.255.250.1900: udp 175
2023-05-25 04:26:24.374990 ssl.root in 10.212.134.202.60697 -> 239.255.255.250.1900: udp 175
2023-05-25 04:26:24.375815 ssl.root in 10.212.134.202.60695 -> 239.255.255.250.1900: udp 175
2023-05-25 04:26:25.317417 ssl.root in 10.212.134.202.60693 -> 239.255.255.250.1900: udp 175
2023-05-25 04:26:25.375484 ssl.root in 10.212.134.202.60697 -> 239.255.255.250.1900: udp 175
2023-05-25 04:26:25.377344 ssl.root in 10.212.134.202.60695 -> 239.255.255.250.1900: udp 175
2023-05-25 04:26:26.318105 ssl.root in 10.212.134.202.60693 -> 239.255.255.250.1900: udp 175
2023-05-25 04:26:26.376211 ssl.root in 10.212.134.202.60697 -> 239.255.255.250.1900: udp 175
2023-05-25 04:26:26.377829 ssl.root in 10.212.134.202.60695 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:23.342656 ssl.root in 10.212.134.202.64693 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:23.400558 ssl.root in 10.212.134.202.64695 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:23.401579 ssl.root in 10.212.134.202.64697 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:24.345415 ssl.root in 10.212.134.202.64693 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:24.401722 ssl.root in 10.212.134.202.64695 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:24.402713 ssl.root in 10.212.134.202.64697 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:25.345712 ssl.root in 10.212.134.202.64693 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:25.403307 ssl.root in 10.212.134.202.64695 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:25.405073 ssl.root in 10.212.134.202.64697 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:26.347792 ssl.root in 10.212.134.202.64693 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:26.404163 ssl.root in 10.212.134.202.64695 -> 239.255.255.250.1900: udp 175
2023-05-25 04:28:26.406009 ssl.root in 10.212.134.202.64697 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:23.363645 ssl.root in 10.212.134.202.64707 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:23.422440 ssl.root in 10.212.134.202.64709 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:23.422934 ssl.root in 10.212.134.202.64711 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:24.366036 ssl.root in 10.212.134.202.64707 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:24.424434 ssl.root in 10.212.134.202.64709 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:24.424513 ssl.root in 10.212.134.202.64711 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:25.365778 ssl.root in 10.212.134.202.64707 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:25.425517 ssl.root in 10.212.134.202.64711 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:25.425602 ssl.root in 10.212.134.202.64709 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:26.367383 ssl.root in 10.212.134.202.64707 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:26.425811 ssl.root in 10.212.134.202.64711 -> 239.255.255.250.1900: udp 175
2023-05-25 04:30:26.425884 ssl.root in 10.212.134.202.64709 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:23.373149 ssl.root in 10.212.134.202.54703 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:23.430340 ssl.root in 10.212.134.202.54705 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:23.432190 ssl.root in 10.212.134.202.54707 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:24.375415 ssl.root in 10.212.134.202.54703 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:24.432739 ssl.root in 10.212.134.202.54705 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:24.433479 ssl.root in 10.212.134.202.54707 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:25.375026 ssl.root in 10.212.134.202.54703 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:25.433628 ssl.root in 10.212.134.202.54705 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:25.434514 ssl.root in 10.212.134.202.54707 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:26.376326 ssl.root in 10.212.134.202.54703 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:26.434060 ssl.root in 10.212.134.202.54705 -> 239.255.255.250.1900: udp 175
2023-05-25 04:32:26.435349 ssl.root in 10.212.134.202.54707 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:23.382308 ssl.root in 10.212.134.202.52314 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:23.438234 ssl.root in 10.212.134.202.52316 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:23.442149 ssl.root in 10.212.134.202.52318 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:24.383899 ssl.root in 10.212.134.202.52314 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:24.440239 ssl.root in 10.212.134.202.52316 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:24.443586 ssl.root in 10.212.134.202.52318 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:25.383765 ssl.root in 10.212.134.202.52314 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:25.441233 ssl.root in 10.212.134.202.52316 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:25.445028 ssl.root in 10.212.134.202.52318 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:26.384452 ssl.root in 10.212.134.202.52314 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:26.441910 ssl.root in 10.212.134.202.52316 -> 239.255.255.250.1900: udp 175
2023-05-25 04:34:26.445907 ssl.root in 10.212.134.202.52318 -> 239.255.255.250.1900: udp 175
I have sniffed more than 5 minutes as shown.
If I am right or not ( please correct me if anything wrong ), I found this article as below ( 239.255.255.250.1900: udp 175 ---> SSDP is HTTP like protocol )
https://wiki.wireshark.org/ssdp
I disabled the "web-access" mode in Fortigate SSLVPN configuration, so the "239.255.255.250.1900: udp 175" should not be valid/useful for sslvpn idle-timer ?
and also this service "SSDP discovery" is disabled on SSL client ( windows 10)
Those are multicast traffic Windows/Mac or whatever the OS is and applications/drivers running on the OS are sending on network interfaces (239.255.255.250 is for Upnp(Universal Plug and Play)). So if you want to stop them, you have to do something on the client machine side. But you might not be able to.
I don't know if there is a way to exclude multicast packets at least from the counter's counting for "idle-timer". Wait for somebody else's comment who knows about it.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.