Skip to main content
vpolovnikov
Staff & Editor
vpolovnikov
Staff & Editor
April 29, 2026

Troubleshooting Tip: FortiClient VPN connection issues triage

  • April 29, 2026
  • 0 replies
  • 121 views

Description

This article describes a step-by-step process of collecting essential diagnostic data for effective troubleshooting of FortiClient VPN connection issues in the FortiSASE environment.

Scope

 FortiClient VPN. FortiSASE.

Solution

When engaging with technical support, it is critical to provide all the necessary logs to increase the speed and effectiveness of the troubleshooting process. This article attempts to provide step-by-step instructions on what logs to collect and how to collect them when dealing with VPN connection issues prior to engaging Fortinet Support. It also provides a template to be filled out when opening up a support case.


Follow the steps below to collect the diagnostic data, copy the questionnaire to the ticket and fill it out prior to submitting the request.


Step 1. Test on the latest version of FortiClient compatible with FortiSASE (if possible).

Verify the latest compatible version of FortiClient in the release notes document (Product integration and support).


a099be46.png


And attempt to replicate the issue if possible, before following the steps below.


4c7b29bf.png


If the installed version is behind, upgrade manually by running the installation downloaded from Fortinet Support or via the FortiSASE upgrade feature (Endpoint upgrade).


7d4d31ea.png


Step 2. Collect the endpoint's public IP.

Use any public IP-address verification service available online (i.e., What Is My IP Address).


Step 3 - Verify path to FortiSASE VPN gateway address.

Note the VPN gateway address from FortiClient under Remote Access -> SASE Secure Internet Access -> View -> Remote Gateway (i.e., turbo-XXXXXXX.edge.prod.fortisase.com).


8e1d8f96.pngfac89f72.png


Then, run the tracert turbo-XXXXXXX.edge.prod.fortisase.com command and collect the output.


Step 4. Enable FortiClient debug log generation.

Enable debug log generation under the endpoint profile applied to the workstation.


56286a6d.png


Verify FortiClient has received the profile update by navigating to the Settings tab (Log Level should be set to Debug).


3566e3da.png


Step 5. Run packet capture on the endpoint.

Run packet capture on the endpoint using a tool of choice (i.e., Wireshark or Packet Monitor). The example uses a Windows-native packet-capturing tool, Packet Monitor.


pktmon filter add -i turbo-XXXXXXX.edge.prod.fortisase.com -t UDP -p 500

pktmon filter add -i turbo-XXXXXXX.edge.prod.fortisase.com -t UDP -p 4500

pktmon start --capture --comp all --pkt-size 0 --file ipsec.etl


Step 6. Reproduce the issue and note the timestamp.

Reproduce the issue while the packet capture is active.

Once finished, save the capture by running the commands below:


pktmon stop

pktmon filter remove

pktmon pcapng ipsec.etl -o ipsec.pcapng


Attach the ipsec.pcapng to the support ticket and record the timestamp of when the issue was reproduced.


Step 7. Collect FortiClient diagnostics.

Collect FortiClient diagnostics from under the About tab (Run Diagnostic Tool).


3d0f075f.png


Step 8. Copy and fill out the questionnaire when submitting a support ticket.

Copy and answer the questions below into a ticket when engaging technical support.

Q1. 'How many users are affected?'.

Q2. 'What's the endpoint public IP-address?'.

Q3. 'What time the issue was reproduced?'.

Q4. 'Files attached to the case (PCAP, diagnostics, traceroute).'.


Attach collected log files, packet capture, and FortiClient diagnostics, along with the answers to the above questions, to the ticket.

    Terms & ConditionsAccessibility statement