Staff

Troubleshooting Tip: Random disconnections on a L2TP over IPsec tunnel when using the Windows Native VPN client

Forum|Forum|1 year ago
February 17, 2025
0 replies
1457 views

Description

This article describes an issue where the L2TP over the IPSec Windows client is disconnected randomly when it is connected with the FortiGate.

Scope

FortiOS v7.2.x, 7.4.x, 7.6.x.

Solution

In some circumstances when using L2TP and the native VPN client on Windows, users may get disconnected randomly.
There is a issue in the Windows VPN client where the tunnel will prematurely expire and get torn down as the client is not following the negotiated expiry.

It is possible to work around this issue by setting 'net-device' to disable in the IPsec Phase 1 settings:

config vpn ipsec phase1-interface
edit <tunnel>
...
set net-device disable

...
end

Note: This will only allow one device per Public IP to connect, e.g. multiple users behind the same ISP can no longer connect at the same time.
There is a fix for this issue introduced in v7.2.11, v7.4.8 and v7.6.3, it is possible to upgrade to a fixed release if this is a requirement.

The following debug can be used to see if the tunnel is being torn down from the client side or not:

diagnose debug reset

diagnose debug application ike -1
diagnose debug application l2tp -1

diagnose debug enable

In this case, there is a 'ISAKMP SA delete' received by the FortiGate:

ike 0: comes 10.10.10.2:500->10.10.10.1:500,ifindex=5,vrf=0....
ike 0: IKEv1 exchange=Informational id=f3550fabd9467d80/4ace47731d71248e:648b40fb len=92 vrf=0
ike 0: in F3550FABD9467D804ACE47731D71248E08100501648B40FB0000005C0A86C594656CC436

0B74AE19517EE07F529AA68003FC9B6436018887

8792AB7489FA7AC49C970490FBA6A3D09C5048A9A0ADEFB5A3AB543D5C980693C850FE1C
ike 0:Dialup_VPN_0:1: dec F3550FABD9467D804ACE47731D71248E08100501648B40FB0000005C0C00001825C0ED7D5D089BBD9372F72EE09AF

36C75008E640000001C0

000000101100001F3550FABD9467D804ACE47731D71248E000000000000000000000000
ike 0:Dialup_VPN_0:1: recv ISAKMP SA delete f3550fabd9467d80/4ace47731d71248e
ike 0:Dialup_VPN_0: deleting
ike 0:Dialup_VPN_0: flushing
ike 0:Dialup_VPN_0: deleting IPsec SA with SPI af2c77a6
ike 0:Dialup_VPN_0:Dialup_VPN: deleted IPsec SA with SPI af2c77a6, SA count: 0
ike 0:Dialup_VPN_0:8: del route 10.10.10.2/255.255.255.255 tunnel 10.10.10.2 oif Dialup_VPN_0(23) metric 15 priority 1
ike 0:Dialup_VPN_0: sending SNMP tunnel DOWN trap for Dialup_VPN
ike 0:Dialup_VPN_0:Dialup_VPN: delete
ike 0:Dialup_VPN_0:1: send IPsec SA delete, spi e73725f7
ike 0:Dialup_VPN_0:1: enc F3550FABD9467D804ACE47731D71248E08100501B073C644000000440C0000182D6E

F63A68CF462E693F92E0483B7CAB8C60D24

6000000100000000103040001E73725F7
ike 0:Dialup_VPN_0:1: out F3550FABD9467D804ACE47731D71248E08100501B073C6440000004CF4A8258A1165DC3

1C21BAD24EB1732709C7630

E64FF5E431190BD29FFE7

E683C98D403FCCE9247EC2E696712A1207790
ike 0:Dialup_VPN_0:1: sent IKE msg (IPsec SA_DELETE-NOTIFY): 10.10.10.1:500->10.10.10.2:500, len=76, vrf=0, id=f3550fabd9467d80/4ace47731d71248e:b073c644
ike 0:Dialup_VPN_0: flushed
ike 0:Dialup_VPN_0: delete dynamic
ike 0:Dialup_VPN_0: deleted

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded