Just about the only thing I've got is from a log that was generated when I set the log level to debug. I haven't yet seen it happen without any corresponding packet loss or for the extended period of time (1-2 minutes before recovery). It happens frequently to a handful of users and almost never for everyone else, so I'm thinking the problem is less FortiClient and more Windows related. I went into the CLI and entered the following commands: config vpn ssl settings set auth-timeout 259200 It appears that this should set the timeout in seconds giving them 36 hrs. Change VPN SSL interface Hi guys. I should also mention that during this period of being disconnected FortiClient seems to be completely unaware that there's a problem, which to me indicates more of a strange Windows issue than an issue with the client itself. Jim8384​ I have currently installed the VPN-only version of 6.2.3 to test the same scenarios to see if the behavior is any different. Open the CLI Console at the top right of the screen. This article details an example SSL VPN configuration that will allow a user to access internal network infrastructure while still retaining access to the open internet. There doesn't seem to be any indicators in the FortiClient logs as to what's happening and nothing gets populated in the Windows event logs either. Minimum value: 0 Maximum value: 4294967295. Firmware bugs aside, maybe it's worth looking closer at the Windows installation. Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. Enable to allow client renegotiation by the server if the tunnel goes down. I'm looking for some help with getting our Fortinet SSL VPN using FortiClient into a stable and workable state. It's also subject to any software installed on the computer that may interfere such as other security software. # config vpn ssl settings set dns-suffix example.com example.org end The FortiGate unit has to configured with the internal DNS servers which have host names for address 'domain.com' and then verified by pinging the host name from FortiGate unit CLI; # config system dns set primary }----- Internal DNS To configure Routing Protocol, go to Network → BGP As per the AWS Managed VPN Configuration file, enter the values of the AS number and the Router ID. Enable/disable verification of referer field in HTTP request header. SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10). Tags: forticlientFortiGateIPSec VPNremote access vpn. The latency will be anywhere between 50-70ms on average, obviously it can vary greatly since it's a cellular hotspot connection but typically it's 50-70. Before it was in many different places. Configure SSL VPN settings: Go to VPN > SSL-VPN Settings. To configure the SSL VPN tunnel, go to VPN > SSL-VPN Settings. As FortiClient is SSL based, it goes through the normal channels of establishing an SSL connection. For SSL VPN. Enable/disable insertion of empty fragment. In Restrict Access: Select Allow access from any host. Particularly anything that offers firewall services and would turn off (or complement) the one built into Windows? Designed by Elegant Themes | Powered by WordPress, 510 Airport Road, Unit A SSL VPN disconnects if idle for specified time in seconds. Inexplicably traffic just won't go for up to a couple minutes and then suddenly it recovers and it's fine. Unlike SSL VPN, IPSec Remote Access VPN can be set up without any additional cost of SSL purchase. How to convert voices recorded on iphone into Cisco UCCX supported format? http://video.fortinet.com/video/50/remote-access-with-ssl-vpn-web-tunnel-mode. Unfortunately the debug log will generate 100,000 lines of logs (its apparent limit because it's always that long at the longest) within seconds so if the issue happens for longer than 20 seconds you won't see the whole thing. Configure SSL VPN web portal to enable AV host-check. Fill in the firewall policy name. Save my name, email, and website in this browser for the next time I comment. Firewall, Security Choose a certificate for Server Certificate. What will happen is traffic to internal resources stops getting routed down the VPN tunnel, sometimes even when my internet connection is otherwise strong and stable and I can still reach the VPN gateway. In order to post comments, please make sure JavaScript and Cookies are enabled, and reload the page. Optionally, set Restrict Access to Limit access to specific hosts, and specify the addresses of the hosts that are allowed to connect to this VPN. For SSL VPN. switch-controller network-monitor-settings, switch-controller security-policy captive-portal, switch-controller security-policy local-access, system replacemsg device-detection-portal, wireless-controller hotspot20 anqp-3gpp-cellular, wireless-controller hotspot20 anqp-ip-address-type, wireless-controller hotspot20 anqp-nai-realm, wireless-controller hotspot20 anqp-network-auth-type, wireless-controller hotspot20 anqp-roaming-consortium, wireless-controller hotspot20 anqp-venue-name, wireless-controller hotspot20 h2qp-conn-capability, wireless-controller hotspot20 h2qp-operator-name, wireless-controller hotspot20 h2qp-osu-provider, wireless-controller hotspot20 h2qp-wan-metric. I configured the VPN SSL access some time ago on WAN1, it worked fine. Notice that it is much different than 5.0. Having used Fortigate and Forticlient for over a decade now, I can't say I've ever seen an issue like this in my own environment. VPN -> SSL VPN Setting. SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit). Configuring the SSL VPN tunnel. I can't fully disable our AV but I've disabled Windows firewall and I'm still seeing the issue on occasion. We unfortunately do not (currently) have a support contract that includes in-depth technical support on the FortiClient side and I've been through the channels on the FortiGate side on everything that's available for them to tell me. Select one or more cipher technologies that cannot be used in SSL-VPN negotiations. Then we will start to configure settings for our VPN. SSL VPN source interface of incoming traffic. In this example a server .abcd.local which resolves to will be used. Enable/disable tunnel connection without re-authorization if previous connection dropped. The strangest part of this is that I don't have any logs in either the application's own logs or Windows logs. To configure SSL VPN using the CLI: In the first wizard, choose Remote Access option and FortiClient connectivity. Are you smarter than most IT pros? I would try upgrading to latest version of FortiClient, 6.2.  There's this in the logs: Which is stating that there's a timeout, that much is obvious but there's no logs anywhere else that correspond to that time to indicate why the timeout occurred, except this line which will show up when the log is set to Information: This seems to line up with the socket timeout and searching for default GW messages, but again I'm not sure how or why, Dateksli​ We're only using it for the SSL VPN function at this time. SSL VPN authentication method restriction. Yes, IPsec is only one. Note that the above instructions configure the SSL VPN in split-tunnel mode, which will allow the user to browse the internet normally while maintaining VPN access to corporate infrastructure. SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout). Aneurinski Jim8384​ We've got that timeout value in place, it helps a lot to recover from whatever causes this issue but it doesn't seem to do anything to prevent it. © Copyright 2020 - Design by, Green Cloud Technologies Launches Secure Backup as a Service with Ransomware Protection, Green Cloud Technologies Expands Product Offering, Launches Object Storage powered by Cloudian®, Green Cloud Technologies Celebrates The Fifth Time Being Named To Inc. 5000 List Of Fastest-Growing Private Companies.