Hot!SSL VPN - Auth-Timeout not working?

Author
random_guy
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/12 05:49:55
  • Status: offline
2020/03/26 05:56:27 (permalink)
0

SSL VPN - Auth-Timeout not working?

-FGT 200E
-Firmware v6.0.2 build0163 (GA)
 
Auth-timeout had been set to 2 hours (don't ask...) and was working fine. Change was made to make it 6 hours. Done. Worked fine for 2-3 days. Now its not applying at all. Changed it from 21600 -> 21500 to see if updating it would make a difference. It didn't. Any thoughts? Troubleshooting steps I can take?
 
config vpn ssl settings
    set servercert "MYCERT"
    set auth-timeout 21500
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set dns-server1 xxx.xxx.xxx.xxx
    set dns-server2 xxx.xxx.xxx.xxx
    set source-interface "port3"
    set source-address "VPN_Allow_CDN" "VPN_Allow_USA"
    set default-portal "web-access"

#1

4 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 2031
    • Scores: 186
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: SSL VPN - Auth-Timeout not working? 2020/03/26 10:08:13 (permalink)
    0
    Try this a couple of times. The first like is showing active SSL VPN user ("tesumi" is my login name). The second like is showing the same user's session information. Focus on the 4th column. The number on the first line is "timeout" which is counting down, and the number on the second like is "duration", which is counting up. If I add them together, 23166 + 5634 = 28800, I get 8h default value of auth-timer every time. Do you see some odd numbers showing up? Or what happens after 6h when the timer is supposed to timed out?
     
    xxx-fg2 (corp) # get vpn ssl monitor | grep tesumi
     86      tesumi          8(1)            23166   xx.xxx.xx.xx   0/0     0/0
     86      tesumi          xx.xxx.xx.xx    5634    3361024/26394207       yy.yy.yy.y

    xxx-fg2 (corp) # get vpn ssl monitor | grep tesumi
     86      tesumi          8(1)            23164   xx.xxx.xx.xx   0/0     0/0
     86      tesumi          xx.xxx.xx.xx    5636    3361024/26394249       yy.yy.yy.y


    #2
    random_guy
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/12 05:49:55
    • Status: offline
    Re: SSL VPN - Auth-Timeout not working? 2020/03/27 09:01:44 (permalink)
    0
     36 username 2(1) 293 x.x.x.x 0/0 0/0
     36 username x.x.x.x 12158 22607048/207823406 10.212.0.38

     
    So that doesn't add up right. 293+12158 = 12451. Not the auth-timeout I have set nor is it disconnecting at that time. When 6 hours is reached, nothing happens, they stay connected.
     
    Then I tried another user and the times seem to be jumping both ways???
     
    FG200E(VPN) # get vpn ssl monitor | grep user2
     18 user2 2(1) 287 x.x.x.x 0/0 0/0
     18 user2 x.x.x.x 14088 24612803/70822185 10.212.0.20
    FG200E(VPN) # get vpn ssl monitor | grep user2
     18 user2 2(1) 287 x.x.x.x 0/0 0/0
     18 user2 x.x.x.x 14088 24612803/70822185 10.212.0.20
    FG200E(VPN) # get vpn ssl monitor | grep user2
     18 user2 2(1) 300 x.x.x.x 0/0 0/0
     18 user2 x.x.x.x 14089 24612847/70822456 10.212.0.20
     FG200E(VPN) # get vpn ssl monitor | grep user2
     18 user2 2(1) 300 x.x.x.x 0/0 0/0
     18 user2 x.x.x.x 14089 24612847/70822456 10.212.0.20
    FG200E(VPN) # get vpn ssl monitor | grep user2
     18 user2 2(1) 295 x.x.x.x 0/0 0/0
     18 user2 x.x.x.x 14094 24612936/70822676 10.212.0.20
    FG200E(VPN) # get vpn ssl monitor | grep user2
     18 user2 2(1) 290 x.x.x.x 0/0 0/0
     18 user2 x.x.x.x 14099 24613209/70822718 10.212.0.20

    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 2031
    • Scores: 186
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: SSL VPN - Auth-Timeout not working? 2020/03/27 09:30:32 (permalink)
    0
    Sounds like a bug to me. I would either look for a bug fix in all release notes from 6.0.3 to 6.0.9, or simply upgrade to one of those, if can't wait TAC to research on it after opening a ticket.
    #4
    tdragon
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/28 00:07:21
    • Status: offline
    Re: SSL VPN - Auth-Timeout not working? 2020/03/28 00:54:51 (permalink)
    0
    if the setting was working fine previously ,you need to check with DNS and ssl certificate validation.
    #5
    Jump to:
    © 2020 APG vNext Commercial Version 5.5