FortiClient showing timeout while connecting remote gw IP

Share us the FortiClient’s Advanced Settings for “VPN” “Phase1” “Phase2”, and FortiGate’s CLI config for “phase1-interface” “phase2-interface” config after masking public IP ports. Showing those “status” messages wouldn’t help anybody figuring out what the problem/cause is. 

Toshi

edit "IPSEC-VPN-USERS"
        set type dynamic
        set interface "wan3"
        set local-gw ---
        set mode aggressive
        set peertype any
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1 ---
        set proposal aes128-sha256 aes256-sha256
        set comments "VPN: IPSEC-VPN-USERS (Created by VPN wizard)"
        set dhgrp 20 14 5
        set xauthtype auto
        set ipv4-start-ip ----
        set ipv4-end-ip ----
        set ipv4-split-include "VPN-Address-GROUP"
        set save-password enable
        set psksecret ENC 

edit "IPSEC-VPN-USERS"
        set phase1name "IPSEC-VPN-USERS"
        set proposal aes128-sha256 aes256-sha256
        set dhgrp 20 14 5
        set keepalive enable
        set comments "VPN: IPSEC-VPN-USERS (Created by VPN wizard)"
    next

They should find the matching settings: aes256-sha256/dhg 20. 
Are you sure about “wan3” for this incoming interface? And is the local-gw IP matching with the interface’s? I haven’t heard any model that has ‘wan3” interface before.
If you’re sure, sniff on “wan3” interface by filtering with the client public IP. Then if you see incoming packets trying to connect a VPN, you need to run IKE debugging explained in the KB below.
 

Toshi

Hi ​@Muttahar_Rehman 

You usually see timeout issue with dial up ipsec vpn when there is issue with communication. Since you are using local GW I believe there must be private IP on the FGT interface? Is there upstream router?

Initiate the VPN connection and collect the pcap

diag sniff packet any ‘host x.x.x.x and (port 500 or 4500)’ 4 0 l » where x.x.x.x is the user Public IP from where the VPN connection is initiated

Hello,

Is This problem one user and all user?

Also if you used full version client, this setting enable → Settings → VPN Option →  Preferred DTLS Tunnel.

When start issues? New config , upgrade.

,

Best Regards


 

new its working fine before suddenly happen all users

Hello,

Please run the commands below. The debug logs collected will help you investigate and identify the root cause of the issue.

diagnose vpn ike log filter clear
diagnose vpn ike log filter rem-addr4 <PublicIP of the Host getting disconnected>
diagnose debug console timestamp enable
diagnose debug application ike -1

diagnose debug application fnbamd -1
diagnose debug enable

Best Regards