Technical Tip: Troubleshooting PPTP VPN users experiencing disconnections on the FortiGate
Description
This article describes how to troubleshoot PPTP VPN users experiencing disconnections on the FortiGate.
Scope
All supported versions of FortiOS.
Solution
The following steps can be used to understand why a PPTP VPN user is experiencing disconnections from the FortiGate and to enable the appropriate FortiOS debug depending on the type of PPTP VPN User.
- A PPTP VPN user connects to the FortiGate with local authentication. If the user disconnects and cannot connect, then connect the PC and enable the following FortiGate debug via the CLI.
diagnose debug enable
diagnose debug reset
diagnose debug console timestamp en
diagnose debug application ppp -1
diagnose debug application pptp -1
diagnose debug application authd -1
diagnose debug application fnbamd -1
diagnose debug enable
diagnose vpn pptp status
- Collect a sniffer trace on the port of the PPTP connection.
diagnose sniffer packet <Interface of pptp connection> 'local_ip_addr of pc' 6
- If the PPTP VPN User uses authentication with LDAP, enable the following debug with step 1.
diagnose test authserver ldap (ldapservername in GUI) (username to test) (pwd user)
diagnose test authserver ldap LDAP_Server user password
- If the PPTP VPN User uses RADIUS, collect the following debug output as well.
diagnose test authserver radius <server_name> <chap | pap | mschap | mschap2> <username> <password>
- If debugging for an authenticated user needs to be taken again, use the following commands to clear the session.
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug enable
- Compare the debug with the PPTP disconnect message on the PC. A full list of PPTP disconnect messages may be found in this Microsoft support article.
Should the problem persist, open a support ticket via the Fortinet Support Portal at https://support.fortinet.com/. Attach the debug information collected in steps 1-5 to the ticket.