Someone reached out recently and told me that a Fortinet Fortigate SSL VPN was acting up and DHCP was not working correctly. This person was receiving the Windows error message on their PC while working remote that there was a duplicate address problem.
The problem I believe wound up being something on that person’s home internal network, but I did attempt to look into the issue right away and could not find a lot of information on DHCP leases for the Fortigate SSL VPN IP range. As any Fortigate admin knows, one can log into the GUI and go to Monitor–>DHCP Monitor, or Monitor–>SSL-VPN Monitor. From there you can view all DHCP leases (if you’re using the firewall as a DHCP server) or view all active SSL VPN connections.
I never thought about it before but I assumed I could see DHCP leases for the SSL VPN IP range in the DHCP monitor window, but there was nothing when I tried. Under the SSL VPN monitor however I could see numerous connections with valid IPs for the VPN range.
I looked into this a bit to find DHCP lease information for the VPN and apparently the DHCP daemon does not actually hand out IPs to VPN clients. The VPN clients get IP address information from the sslvpn daemon itself. DHCP options such as lease time do not exist because of this. The SSL VPN DHCP lease time is essentially the time of the VPN connection. Once the VPN connection is removed, that IP goes straight back into the IP pool for the next incoming SSL connection.
Seems somewhat obvious after typing this out, but still glad I did.
2 thoughts on “FortiClient SSL VPN – DHCP”
This leaves me wondering how to set DHCP options for SSL VPN clients. Not even under the ssl.root interface configuration in the CLI can I find details about the ip pool. I’d like to set option 001 among others.
Sorry for the delayed response. My understanding though is that DHCP options are not an option for Fortinet SSL VPN clients.