If you are using a FortiOS 6.0.1 or later: To allow multiple interfaces to connect, use the following CLI commands. This can cause the session to become “dirty”. This might occur if there are multiple interfaces connected to the Internet, for example, SD-WAN. To troubleshoot tunnel mode connections shutting down after a few seconds: Set login-timeout 180 (default is 30) set dtls-hello-timeout 60 (default is 10) InįortiOS 5.6.0 and later, use the following commands to allow a user to increase timers related to SSL VPN login. Latency or poor network connectivity can cause the default login timeout limit to be reached on the FortiGate.
If your FortiOS version is compatible, upgrade to use one of these versions.
A new SSL VPN driver was added to FortiClient 5.6.0 and later to resolve SSL VPN connection issues.To troubleshoot SSL VPN hanging or disconnecting at 98%: When you get a connection error, select Export logs.Set the Log Level to Debug and select Clearlogs.In the Logging section, enable Export logs.Export and check FortiClient debug logs.The default ip-pools SSLVPN_TUNNEL_ADDR1 has 10 IP addresses. Check that SSL VPN ip-pools has free IPs to sign out.FortiClient uses IE security setting, In IE Internet Option > Advanced > Security, check that Use TLS 1.1 and Use TLS 1.2 are enabled.Check the Release Notes to ensure that the FortiClient version is compatible with your version of FortiOS.To troubleshoot FortiGate connection issues: Check the browser has TLS 1.1, TLS 1.2, and TLS 1.3.Ensure FortiGate is reachable from the computer. Check that you are using the correct port number in the URL.Check the URL you are attempting to connect to.Check that the policy for SSL VPN traffic is configured correctly.Go to Policy > IPv4 Policy or Policy > IPv6 policy.Check the Restrict Access settings to ensure the host you are connecting from is allowed.the CLI output to the ticket as a text file.To troubleshoot getting no response from the SSL VPN URL:
The workaround solution is to disable these protocols on the client PC in order to trigger an idle timeout.ĥ) If the issue is not resolved at this point, open a support ticket at and attach: Select the 'startup type' as 'Disabled'. In the 'Services' window, look for the following entry: SSDP Discovery. The workaround solution for SSDP traffic is to disable these protocols on the client PC in order to trigger an idle timeout. Traffic towards the Firewall from Client PC: Windows have the tendency to push multicast traffic on all active NIC cards/adaptors and hence FortiGate will receive SSDP traffic or Link-local Multicast Name Resolution traffic via SSLVPN tunnel and idle-timeout will get reset. If SSDP and LLMNR service is enabled in the client Windows PC, then windows will notice the traffic to multicast address 239.255.255.250 or 224.0.0.252 on UDP port number 19 respectively. Index User Auth Type Timeout From HTTP in/out HTTPS in/out
# show full vpn ssl setting | grep “dns server”ģ) Check the idle-timeout value of the user using below command: To change the idle-timeout value use the below settingĢ) Check the DNS setting in the SSLVPN, if using local DNS in SSLVPN then whenever DNS traffic communicated via SSLVPN tunnel, ilde timeout value will get reset. # show full vpn ssl setting | grep "idle-timeout"ĭefault idle-timeout value is 300 seconds (5 minutes). This article describe how SSLVPN connection is not getting disconnected even after connection is idle for long time.ġ) Check the idle timeout value set in FortiGate.