FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
chaithrar
Staff
Staff
Article Id 194568

Description


This article describes how an SSL VPN connection does not get disconnected even after the connection is idle for a long time.

Solution

 

  1. Check the idle timeout value set in FortiGate. The idle-timeout value will be in seconds.

 

show full vpn ssl setting | grep "idle-timeout"

 

The default idle-timeout value is 300 seconds (5 minutes).


To change the idle-timeout value use the below setting:

 

config vpn ssl setting
    set idle-timeout xx                 <- Seconds value from <0> to <259200>.
end

 

  1. Check the DNS setting in the SSL VPN, if using local DNS in SSL-VPN then whenever DNS traffic is communicated via SSL VPN tunnel, the idle timeout value will get reset.

     

    show full vpn ssl setting | grep “dns server”

     

     

  2. Check the idle-timeout value of the user using the below command:

     

    get vpn ssl monitor | grep <user name>

     

    The output will be as below:

     

    get vpn ssl monitor | grep test
    SSL VPN Login Users:
     Index   User       Auth Type      Timeout         From     HTTP in/out    HTTPS in/out
     0       test         1(1)           247         10.5.59.93     0/0     0/0 <<<<<<,

     Index   User    Source IP      Duration        I/O Bytes       Tunnel/Dest IP
     0       test    10.5.59.93      121     0/0    10.212.134.200

     

    If the SSL VPN connection is idle, the timeout index will get decremented to 0 and SSL-VPN connection from 10.5.59.93 will get disconnected.

  3. If the SSL VPN connection is idle but the timeout index is getting reset, run the sniffer to monitor the traffic.

     

    dia sniffer packet any “host <SSLVPN client ip>” 4

     

    Note:


    If SSDP and LLMNR service is enabled in the client Windows PC, then Windows will notice the traffic to multicast address 239.255.255.250 or 224.0.0.252 on UDP port numbers 1900 and 5355 respectively.


    Windows has the tendency to push multicast traffic on all active NIC cards/adaptors. Hence, FortiGate will receive SSDP traffic or Link-local Multicast Name Resolution traffic via SSL VPN tunnel and idle-timeout will get reset.


    Traffic towards the Firewall from the Client PC:

     

    Line 185: 2020-04-22 07:52:08.945712 ssl.root in 10.X.X.X.65160 -> 224.0.0.252.5355: udp 21
    Line 191: 2020-04-22 07:52:08.945912 ssl.root in 10. X.X.X.53685 -> 224.0.0.252.5355: udp 21
    Line 197: 2020-04-22 07:52:09.347367 ssl.root in 10. X.X.X.65160 -> 224.0.0.252.5355: udp 21
    Line 203: 2020-04-22 07:52:09.347617 ssl.root in 10. X.X.X.53685 -> 224.0.0.252.5355: udp 21

     

    The workaround solution for SSDP traffic is to disable these protocols on the client PC in order to trigger an idle timeout.

  • Select 'Start' under type 'services'.
  • In the 'Services' window, look for the following entry: SSDP Discovery.
  • Select the 'startup type' as 'Disabled'.
  • Reboot the client's PC.

    Disable LLMNR: 
  • Go to run and type gpedit.msc.
  • Navigate to Local computer policy -> Computer Configuration -> Administrative Templates -> Network -> DNS Client.
  • Select 'Turn Off Multicast Name Resolution' and set the value to Enable.


The workaround solution is to disable these protocols on the client's PC in order to trigger an idle timeout.

Further, verify the SSL VPN idle timeout.