Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
random_guy
New Contributor III

SSL VPN - Auth-Timeout not working?

-FGT 200E

-Firmware v6.0.2 build0163 (GA)

 

Auth-timeout had been set to 2 hours (don't ask...) and was working fine. Change was made to make it 6 hours. Done. Worked fine for 2-3 days. Now its not applying at all. Changed it from 21600 -> 21500 to see if updating it would make a difference. It didn't. Any thoughts? Troubleshooting steps I can take?

 

config vpn ssl settings
    set servercert "MYCERT"
    set auth-timeout 21500
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set dns-server1 xxx.xxx.xxx.xxx
    set dns-server2 xxx.xxx.xxx.xxx
    set source-interface "port3"
    set source-address "VPN_Allow_CDN" "VPN_Allow_USA"
    set default-portal "web-access"

4 REPLIES 4
Toshi_Esumi
Esteemed Contributor III

Try this a couple of times. The first like is showing active SSL VPN user ("tesumi" is my login name). The second like is showing the same user's session information. Focus on the 4th column. The number on the first line is "timeout" which is counting down, and the number on the second like is "duration", which is counting up. If I add them together, 23166 + 5634 = 28800, I get 8h default value of auth-timer every time. Do you see some odd numbers showing up? Or what happens after 6h when the timer is supposed to timed out?

 

xxx-fg2 (corp) # get vpn ssl monitor | grep tesumi  86      tesumi          8(1)            23166   xx.xxx.xx.xx   0/0     0/0  86      tesumi          xx.xxx.xx.xx    5634    3361024/26394207       yy.yy.yy.y xxx-fg2 (corp) # get vpn ssl monitor | grep tesumi  86      tesumi          8(1)            23164   xx.xxx.xx.xx   0/0     0/0  86      tesumi          xx.xxx.xx.xx    5636    3361024/26394249       yy.yy.yy.y

random_guy

 36 username 2(1) 293 x.x.x.x 0/0 0/0

 36 username x.x.x.x 12158 22607048/207823406 10.212.0.38

 

So that doesn't add up right. 293+12158 = 12451. Not the auth-timeout I have set nor is it disconnecting at that time. When 6 hours is reached, nothing happens, they stay connected.

 

Then I tried another user and the times seem to be jumping both ways???

 

FG200E(VPN) # get vpn ssl monitor | grep user2
 18 user2 2(1) 287 x.x.x.x 0/0 0/0
 18 user2 x.x.x.x 14088 24612803/70822185 10.212.0.20
FG200E(VPN) # get vpn ssl monitor | grep user2
 18 user2 2(1) 287 x.x.x.x 0/0 0/0
 18 user2 x.x.x.x 14088 24612803/70822185 10.212.0.20
FG200E(VPN) # get vpn ssl monitor | grep user2
 18 user2 2(1) 300 x.x.x.x 0/0 0/0
 18 user2 x.x.x.x 14089 24612847/70822456 10.212.0.20
 FG200E(VPN) # get vpn ssl monitor | grep user2
 18 user2 2(1) 300 x.x.x.x 0/0 0/0
 18 user2 x.x.x.x 14089 24612847/70822456 10.212.0.20
FG200E(VPN) # get vpn ssl monitor | grep user2
 18 user2 2(1) 295 x.x.x.x 0/0 0/0
 18 user2 x.x.x.x 14094 24612936/70822676 10.212.0.20
FG200E(VPN) # get vpn ssl monitor | grep user2
 18 user2 2(1) 290 x.x.x.x 0/0 0/0
 18 user2 x.x.x.x 14099 24613209/70822718 10.212.0.20

Toshi_Esumi
Esteemed Contributor III

Sounds like a bug to me. I would either look for a bug fix in all release notes from 6.0.3 to 6.0.9, or simply upgrade to one of those, if can't wait TAC to research on it after opening a ticket.

tdragon
New Contributor II

if the setting was working fine previously ,you need to check with DNS and ssl certificate validation.

Labels
Top Kudoed Authors