Customer has problem with SSL VPN client disconnect, the problem is when dial VPN server (USG6300 in our case) the connection is successful but after 30 seconds only
the USG6300 disconnect the client and sends him this message (Sorry, You are forced to log out. Please contact the network administrator).
No alarm reported for this case.
First of all, we checked the SSL VPN configuration and it seems everything is good, customer configured network extension and configured available IP addresses for end users and the accessible network, then we checked the user account and it seems the user is authorized to for network extension and this is good also.
The customer used domain authentication with LDAP server for this SSL VPN, so we also checked the user account through LDAP detection function and we noticed the authentication is succeeded and user name and password are good.
Also we noticed the firewall works on Dual Failover (Active and Standby mode) and we noticed when we stop failover function and work on single firewall (the master one) only the SSL VPN works good without any interruption while if we back to failover mode the SSL VPN stops only after 30 seconds.
The firewall works on active and standby mode, and we noticed that the user accounts in the standby firewall are not synchronized with LDAP and not same as the master firewall, so when client login successfully and within 30 seconds the master firewall try to synchronize the session with standby firewall the standby firewall doesn’t recognize the user account and thinks this a kind of hacking and for security reasons the standby firewall sends request to discount this client as its account is not known so the firewall force the client to end this session and discount.
The Solution for this case is by synchronize the users account in standby firewall with the LDAP server and make sure both firewall (Master and Standby) has same and matched accounts.
Firewalls do many objects synchronization but also try to make sure the synchronization is good and matched.