Skip to main content
fn-hmx
fn-hmx
New Member
April 15, 2024
Question

FortiClient 7.2 - will not connect if there is no Internet connection

  • April 15, 2024
  • 8 replies
  • 9057 views

On FortiClient 7.2.4, SSLVPN will not connect if the local machine has no Internet connection.

It appears that FortiClient checks Windows Network Level Awareness (NLA) to see if there is a working Internet connection. However, this breaks airgapped setups where:

1. the endpoint is airgapped with no Internet connectivity (hence Windows NLA will report No Internet)
2. the FortiGate is intranet-only (not exposed to the Internet)

FortiClient will refuse to initiate a connection thinking that there is no working connection, but FGT is reachable.

Previous versions of FC (7.0.11) seem to work alright, just not the 7.2.x branch.

8 replies

AEK
SuperUser
AEK
SuperUser
April 15, 2024

There are about 40 SSL VPN known issues on this version.

https://docs.fortinet.com/document/forticlient/7.2.4/windows-release-notes/991883/known-issues

Can you share the related logs from FortiClient?

AEK
    fn-hmx
    fn-hmxAuthor
    New Member
    April 15, 2024

    Hey @AEK, thanks for replying!

    The only relevant FortiClient log is the following:

    4/15/2024 1:24:20 PM	info	sslvpn	date=2024-04-15 time=13:24:19 logver=1 id=96600 type=securityevent subtype=sslvpn eventtype=status level=info uid=FE669A598C0F46AABA80C6660AE8CDA4 devid=FCT80004XXXXXXXX hostname=DESKTOP-JDR6DA5 pcdomain=N/A deviceip=10.255.XXX.XXX devicemac=f4-4e-XX-XX-XX-XX site=N/A fctver=7.2.4.0972 fgtserial=FCT80004XXXXXXXX emsserial=N/A os="Microsoft Windows 10 Professional Edition, 64-bit (build 19045)" user=XXXXXXX msg="SSLVPN tunnel status" vpnstate=disconnected vpnuser=XXXXX

    When I hit "connect" after typing my username and password, the VPN client just flashes briefly, but nothing happens.

     

    Windows does say the following:

    Screenshot 2024-04-15 132509.png

     

    The remote FortiGate can 100% be reached over the network, but FortiClient doesn't seem to even try.

    smaruvala
    Staff
    smaruvala
    Staff
    April 15, 2024

    Hi,

     

    - Have you tried to reinstall the FortiClient?

    - Does the FortiClient tries to initiate communication? You can check this by taking wireshark captures on the client. 

    - Are there any 3rd party tools in PC such as VPN from another vendor or AV etc.

     

    Regards,

    Shiva

      fn-hmx
      fn-hmxAuthor
      New Member
      April 15, 2024

      Hi Shiva,

      1. Yes, we have reinstalled the FortiClient multiple times. FC 7.0.12 works with no issues.

      2. It does not look like the FortiClient 7.2 even tries.

      3. No other VPN but there is Symantec AV.

      smaruvala
      Staff
      smaruvala
      Staff
      April 15, 2024

      Hi,

       

      - You can confirm if it is sending the packets out or not by taking wireshark capture or a sniffer in the firewall.
      - You can try to disable the AV and verify the VPN.

      - We may have to check Diagnostics tool output such as FortiTray logs from the Client. If the above 2 steps are not giving the expected result then you can collect the Dignostics tool output and open a support ticket. 

       

      Regards,

      Shiva

        Michael_Heinrich
        Michael_Heinrich
        New Member
        April 15, 2024

        Hello everyone,

        The same thing with us, we come from FortiClient 7.2.0 which actually worked quite well except that the Azure SAML authentication was only remembered when the auth opened in the external browser.
        The FortiClient 7.2.3 then caused serious DNS problems for us (even without an active VPN), as it is very inconspicuously stated in the release notes.
        The update to 7.2.4 fixed the DNS problem but now we also have various connection problems.

        1. 0% - 40% - 0%
        or
        2. 100% short traffic then disconnect
        or
        3. Clicked connect but nothing happened

        Another problem is the automatic software deployment of the client and the fact that there is no coherent install and uninstall concept which actually automatically deletes all application components, disconnects from the EMS, cleans up the configuration and removes virtual drivers even during a deinstallation.

        Or are there silent command line parameters for the FCRemove.exe?
        It would at least be very helpful for bug fixing if the uninstallation went well.

        I opened a ticket with Fortinet, the logs are currently being checked.

        Greetings
        Michael

          Stelvio
          Stelvio
          Visitor III
          April 15, 2024

          Same issue for us as @Michael_Heinrich , but for 3 users (of 40) so far. Pushed out 7.2.4 this weekend and have 3 critical users unable to VPN in. No clear fix in sight, super frustrating.

          Michael_Heinrich
          Michael_Heinrich
          New Member
          April 15, 2024

          Dear Fortinet Community,

           

          after intensive research and experimentation, I would like to share a possible solution for the issues with FortiClient 7.2.4. It seems that a clean uninstallation and reinstallation of FortiClient can resolve the problem. However, it is important to ensure that the uninstallation not only occurs through the standard application but also that all application data and registry values ​​of the FortiClient user are removed.

           

          To achieve this, I recommend using the FCRemove.exe tool, specifically designed for the clean removal of FortiClient. However, it is important to note that the standard uninstallation is executed in the admin context and therefore typically does not remove the user data completely.

          After attempting to find a way to automate FCRemove.exe, I am pleased to announce that I have succeeded.

          With the following two script lines, the FortiClient can be shut down first, and then the FCRemove.exe can be automatically executed as an administrator:


          "%ProgramFiles%\Fortinet\FortiClient\fortitray.exe" --shutdown
          "%~dp0fcremove_x64.exe" --silent

          However, the downside is that the computer restarts unexpectedly, which is certainly not ideal.

           

          I kindly appeal to Fortinet developers to provide the appropriate silent parameters or to develop an uninstallation mechanism that allows customers to cleanly reinstall the product.

          I will also endeavor to develop a corresponding script in parallel, which I will be happy to share here.

          Thank you to everyone who is working to bring this excellent product back into the limelight!

           

          Best regards from Würzburg,
          Michael Heinrich

            birendrakumar
            Staff
            birendrakumar
            Staff
            April 16, 2024

            Hello, 

            Possible to share the xml config file from the Forticlient.?
            To export - Free FCT GUI - Settings button - Click Backup to export the xml file.

            BR

              Michael_Heinrich
              Michael_Heinrich
              New Member
              October 15, 2024

              Hello everyone,

              Fortinet has done a great job with the new version 7.2.5, addressing many of the previous issues. The DNS problems that occurred in version 7.2.3 no longer exist in 7.2.5. The various connection issues we experienced in earlier versions also seem to have been resolved.

              I hope FortiClient continues to be developed with this level of quality and that bugs are fixed more swiftly in the future.

              Best regards,
              Michael

              Roland3
              Roland3
              New Member
              November 8, 2024

              When you upgraded to version 7.2.5 did you do a full uninstall first like you mentioned in the script?

               

              "%ProgramFiles%\Fortinet\FortiClient\fortitray.exe" --shutdown
              "%~dp0fcremove_x64.exe" --silent

              Terms & ConditionsAccessibility statement