Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
peterk2020
New Contributor

ssh and telnet disconnect after about 15s

Hi,

I'm having an issue with CLI session using ssh and telnet.  Whenever I tried to connect Fortinet or switch behind Fortigate, it disconnects my session after about 15s.  Web session on Fortigate stays connected.. but neither the ssh or telnet.  Tried to change timeout settings on Fortigate.  It didn't help.  I'm sitting behind a Fortigate that has an ipsec tunnel with the Fortigate that I'm trying to connect to.  Any settings on IPSEC tunnel?  Any suggestions?

 

Thanks.

 

4 REPLIES 4
Yurisk
SuperUser
SuperUser

There is no setting on Fortigate to cause an ACTIVE ssh session to disconnect every other second/minute, the only setting like set admintimeout relates to ssh/web admin sessions but even then only for IDLE sessions, not active ones.  

Is it possible you have SD-WAN + Ipsec ? If so then it could be the FGT is balancing your ssh over multiple VPN tunnels and this causes the issue, in that case you can try setting SD-WAN to preserve-session setting.

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
emnoc
Esteemed Contributor III

tcp-mss size is my 1st thought since you  are using a a ipsec-tunnel you have a policy right ? Go into the cli mode and set the tcp-mss receive and retest.

 

http://socpuppet.blogspot.com/2013/05/tcp-mss-adjusment-fortigate-style.html

 

 

Also please telling me your not using telnet for management ;)

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
peterk2020

Thanks for your replies.  Let me go ahead and adjust tcp-mss and test it what happens.  I was just testing "telent' see if I have a same issue. 

Forgot to mention that it stays connected as long as I type.

emnoc
Esteemed Contributor III

Man that last post update makes me believe you have  session-ttl set & if you go idle the session is timeout. If you do a "diag debug flow" and find the policy and services make sure some one didn't hack of the service session-ttl to some weird idle timeout

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors