Keep-alive?

[dharkness]

The Windows client will often stay connected for days at a time, but I get disconnected after about 10 hours (sometimes less) using this client on Linux. Is there a keep-alive or session timeout setting in the client?

[mrbaseman]

No, there isn't. But you can initiate some traffic through the tunnel, e.g. a loop of sleeps and ocational pings, just to keep the session alive. I think there should be some mechanism on the lower levels, too. There is an adjustable timeout on the server side which defaults to 10 hours, but if I remember correctly it is Independent if there is some traffic or not. When no two factor authentication is configured, openfortivpn can reestablish the connection in a loop (see the --persistent option). For this, the password has to be supplied in the config file, e.g. in a temporary copy on a ram disk, and the client certificate, if in use, must be passwordless.

[dharkness]

Thanks, I'll run ping with a 60-second interval in another shell and see how long it stays open. We're using 2FA so persistence isn't an option.

[DimitriPapadopoulos]

Would need more details here:

• Does the Windows client use IPSec VPN or VPN SSL?
• The default timeout is ~ 8 hours on the FortiGate device. From the FortiOS™ Handbook SSL VPN for FortiOS 5.0:

  Setting the client authentication timeout

  The client authentication timeout controls how long an authenticated user will remain connected. When this time expires, the system forces the remote client to authenticate again. As with the idle timeout, a shorter period of time is more secure. The default value is 28800 seconds (8 hours). You can only modify this timeout value in the CLI

[DimitriPapadopoulos]

In addition to the client authentication timeout:

Setting the client authentication timeout

The client authentication timeout controls how long an authenticated user will remain connected. When this time expires, the system forces the remote client to authenticate again. As with the idle timeout, a shorter period of time is more secure. The default value is 28800 seconds (8 hours). You can only modify this timeout value in the CLI.

For example, to change the authentication timeout to 18000 seconds, enter the following commands:

config vpn ssl settings
   set auth-timeout 18000
end

You can also set the idle timeout for the client, to define how long the user does not access the remote resources before they are logged out. For information see “SSL connection configuration” on page 18.

there's an idle timeout:

Setting the idle timeout setting

The idle timeout setting controls how long the connection can remain idle before the system forces the remote user to log in again. For security, keep the default value of 300 seconds (5 minutes) or less.

To set the idle timeout - web-based manager

1. Go to VPN > SSL > Config.
2. In the Idle Timeout field, enter the timeout value. The valid range is from 10 to 28800 seconds.
3. Select Apply.

   To set the idle timeout - CLI

   config vpn ssl settings
   set idle-timeout <seconds_int>
   end

[dharkness]

Thanks for the detailed information. I do not have control over the gate itself, and I don't want to make things less secure. I was just just getting annoyed having it drop me when my workday dragged on longer than normal.

Running a ping every hour has kept me connected for twenty hours the past several days which is more than long enough! :)

[DimitriPapadopoulos]

The strange thing is that I've never experienced this idle timeout myself with openfortivpn.

I can remain connected for a whole day (I think there's an authentication timeout after 24 hours on the FortiGate device I connect too and it affects IPSec/Windows too). It has already happened that I leave the computer connected for a few hours without being disconnected. Perhaps my Linux system generates by itself network traffic that keeps my connection alive.

I really don't know why you experience these timeouts and I don't.

[dharkness]

I only need to use the VPN to access QA/production VMs, and I start up the VPN at the start of every workday. It's quite likely our NOC team set a lower idle timeout than you've got in yours. I may also be misremembering how long the Windows client stayed connected. Maybe I'll start both this next weekend and keep the idle and see how long before they each get shut down.

For now though, twenty hours gets me through even the longest days. :)

[mrbaseman]

When the Fortigate assigns a nameserver or pushes a default route ("tunnel mode") DNS traffic or other internet traffic of applications in the background (e.g. mail client) goes through the tunnel, which might keep it up.

[DimitriPapadopoulos]

@mrbaseman I think I have already left my Gnome session totally unattended for hours (no mail client running, no DNS requests on my behalf) but I agree the system might be generating network traffic through the tunnel nevertheless.

[mrbaseman]

this topic came up again in #564 and I have opened #613 as an attempt to solve it