Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kazumi-k
New Contributor

Created on ‎03-28-2025 03:55 AM

ssl vpn auth-timeout 0 not working when no packet send and receieve.

The VPN connection will be broken if the computer connected by FortiClient with the following settings does not send or receive packets passing through the VPN for 259200 seconds (3 days).

---

config vpn ssl setting

 set idle-timeout 0

 set auth-timeout 0

 <omit>

end

---

 

Monitoring in “Dashboard>Users & Devices>Firewall Users>” shows that when there is no communication, the remaining time gradually decreases, and when communication starts, the remaining time resets to 3 days.

 

It seems like a disconnection due to idle-timeout, but the VPN event disconnect reaseon is an auth-timeout.

 

Is it possible to keep the VPN connection for more than 259200 seconds (3 days) even if no packets are sent or received?

 

Labels:
236
0 Kudos
5 REPLIES 5
AEK
SuperUser
SuperUser

Created on ‎03-28-2025 04:52 AM

According to "FortiOS CLI reference" doc, 259200 is the maximum value.

If you need it to stay connected then you may schedule a job to generate a ping periodically.

AEK
AEK
218
Kanbeik
New Contributor

Created on ‎03-30-2025 05:29 PM Edited on ‎03-30-2025 06:49 PM

Thanks for the reply.
Doesn't the following setting(Minimum value:0) mean that it will not time out?
“set idle-timeout 0”

“set auth-timeout 0”

 

config vpn ssl settings | FortiGate / FortiOS 7.2.1 | Fortinet Document Library

 

172
AEK
SuperUser
SuperUser
In response to Kanbeik

Created on ‎04-01-2025 04:29 AM

According to this tech tip you are right, zero should mean no timeout.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-timers-explanation-and-SSL-VPN-Log...

Try some tests to make sure about the reason of the disconnection. Meanwhile you can still try periodic pings through the tunnel to confirm (or invalidate) the involvement of idle-timeout.

AEK
AEK
138
Kazumi-k
New Contributor

Created on ‎04-01-2025 08:38 PM Edited on ‎04-01-2025 08:43 PM

When checking from the command line, idle-timeout is displayed as N/A.

スクリーンショット 2025-04-02 122739.png

 

 

 

 

 

 

 

 

 

 

 

However, when checking from the WebUI,
even when idle-timeout=0 is set, the remaining time continues to decrease from 259200 seconds (3 days).

When I start communicating with ping, the remaining time is reset to 259200 seconds (3 days).

As you can see from (3), idle-timeout=0 same result as idle-timeout=259200.
スクリーンショット 2025-04-02 114133.jpg

124
0 Kudos
AEK
SuperUser
SuperUser
In response to Kazumi-k

Created on ‎04-02-2025 03:01 AM

Then probably the doc is wrong.

AEK
AEK
98
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.