Skip to main content
lxh395252851
lxh395252851
New Member
November 30, 2025
Question

Frequent Automatic Disconnections with IPsec VPN Servers in FortiClient 7.4

  • November 30, 2025
  • 3 replies
  • 1534 views

I'm using IPsec VPN with FortiClient 7.4. I've configured two IPsec VPN servers (primary and backup) and deployed the settings to clients via FortiClient EMS. However, during usage, the connection to the primary server consistently drops every 30 to 60 minutes, while the backup server disconnects even more frequently and irregularly.

All components are running version 7.4, and there’s no packet loss between the public networks involved. This issue affects all users in our environment.

Has anyone encountered this behavior? Any suggestions on how to troubleshoot or resolve it would be greatly appreciated.

3 replies

AEK
SuperUser
AEK
SuperUser
November 30, 2025

Which FortiClient version exactly (I mean the x in 7.4.x)?

Can you try connecting your client using other internet link or other ISP?

AEK
lxh395252851
lxh395252851Author
New Member
December 2, 2025

This issue appears to be widespread, affecting nearly all ISPs. The versions currently in use are as follows:

Primary/standby firewall version: 7.2.11

FortiClient versions: 7.4.4 

FortiClient EMS versions:7.4.3

Carson_Daniels
Carson_Daniels
New Member
November 30, 2025

Hi — frequent disconnections with FortiClient 7.4 IPsec VPN are often caused by IKE or dead peer detection (DPD) timers being too short, or NAT/keepalive issues. Try the following:

Increase the IKE SA and DPD timers on both VPN servers.

Enable VPN keepalive/ping to maintain the tunnel.

Check for overlapping subnets or duplicate IP assignments that might trigger rekeying.

Review client logs for specific error codes to pinpoint the drop reason.

These steps usually stabilize connections and reduce frequent automatic disconnections.

lxh395252851
lxh395252851Author
New Member
December 2, 2025

Thank you for your suggestions.

Currently, the DPD interval on the firewall is set to 60 seconds. The configuration pushed via EMS only enables DPD but does not allow customization of the DPD mode or detection interval. In this case, I believe the negotiated parameters should follow those configured on the firewall.

The FortiClient is deployed within the internal network of the branch site, and NAT traversal has been enabled in the EMS-deployed configuration. Regarding potential NAT/keepalive issues, could you advise how I should go about troubleshooting them? Specifically, would it be necessary to reduce the IKE Phase 1 keepalive interval and the IPsec Phase 2 SA lifetime to better align with the NAT timeout policies across the customer’s various sites?

From the logs provided by the customer, we only observe the client’s IP address switching between the VPN-assigned address and its local LAN address—this appears to be expected behavior during an IPsec VPN disconnection. Unfortunately, no additional diagnostic logs are available for further analysis.

AEK
SuperUser
AEK
SuperUser
December 2, 2025

EMS 7.4.3 is not 100% compatible with FCT 7.4.4. You should update your EMS.

https://docs.fortinet.com/document/forticlient/7.4.0/ems-compatibility-chart

Well it may or it may not be the root cause of the issue but it is worth a try.

AEK
Terms & ConditionsAccessibility statement