Description
This article describes how to enable the preserve-session-route on SSL VPN from the CLI.
Solution
In this configuration, wan1 is the interface that is used on the SSL VPN settings.
config system interface
edit wan1
set preserve-session-route enable
end
CLI option:
<interface_name> <----- The name of the interface where the user wants to configure how dynamic routing changes affect active sessions running through it.
enable <----- All sessions passing through the interface when the routing changes occur, are allowed to finish and are not affected by the routing changes.
disable (default) <----- When a routing change occurs, the new routing table is applied to the active sessions passing through the interface. The routing changes causes the destinations of the sessions to change.
The benefit of enabling preserve-session-route in such cases:
Depending on SNAT is enabled or disabled, route lookup is done for existing sessions after a routing change.
Usually, sessions that are not SNAT-ed are marked dirty after route change and route lookup happens as per the new routing table.
Preserve Session Route keeps the session on the same interfaces after routing changes, even if the session is not SNAT-ed.
Troubleshoot:
If enabling this preserve-session-route does not resolve the SSL VPN and keep disconnecting, access FortiGate via putty (ssh port 22) then make sure putty is set to log all session and run the following commands:
diag debug reset
diag debug disable
diag debug app fnbamd -1
diag debug app sslvpn -1
diag debug en
While this debugging is running reproduce the issue.
Once done reproducing the issue run di de di to stop the debugging then forward the logs to Fortinet TAC by creating a support ticket on support.fortinet.com
