IPSec VPN is up but can't access anything

Forum|Forum|6 years ago
October 28, 2019
1 reply
6796 views

Hi

I have been running IPsec VPN for years without any issue. all of a sudden my users started to complain that they are unable to access the internal network.

VPN shows its connected

fortigate log shows incoming ping requests from client

client receives request timed out

my firewall is disabled and I uninstalled antivirus from the client

I tried different versions of forticlient and different firmwares of fortigate

I noticed the problem is with windows 10.

when I disconnect forticlient and connect again ping works fine for few minutes then the same problem happens again

any idea?

Toshi_Esumi

SuperUser

Did you recently upgrade either the FGT or those client machines' OS? If the tunnel is really up the IKE debugging (diag debug app ike -1) wouldn't show anything suspicious. Then you need to run flow debug (diag debug flow) to see what happens to those un-returned ping packets.

Mahmood_FraidoonAuthor

New Member

I have done more testing and noticed the problem occurs when I use wifi routers (from the same ISP).

I tried connecting from my ADSL and mobile hotspot connectivity and didn't face any issue (both are from the same ISP of my wifi)

not sure if it makes any sense that my ISP is disturbing VPN traffic on Wifi but allowing on ADSL and mobile.

Mahmood_FraidoonAuthor

New Member

I have enabled debug log on forticlient and below is what i get

29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: <?xml version='1.0' encoding='utf-8'?><sslvpn-tunnel ver='2' dtls='1' patch='1'><dtls-config heartbeat-interval='10' heartbeat-fail-count='10' heartbeat-idle-timeout='10' client-hello-timeout='10' /><tunnel-method value='ppp' /><tunnel-method value='tun' /><fos platform='FG100D' major='6' minor='02' patch='2' build='1010' branch='1010' /><auth-ses check-src-ip='1' tun-connect-without-reauth='0' tun-user-ses-timeout='30' /><client-config save-password='off' keep-alive='off' auto-connect='off' /><ipv4><assigned-addr ipv4='172.21.10.1' /><split-tunnel-info><addr ip='10.1.5.0' mask='255.255.255.0' /><addr ip='192.168.1.0' mask='255.255.255.0' /><addr ip='192.168.10.0' mask='255.255.255.0' /><addr ip='192.168.20.0' mask='255.255.255.0' /><addr ip='192.168.30.0' mask='255.255.255.0' /><addr ip='192.168.50.0' mask='255.255.255.0' /><addr ip='192.168.100.0' mask='255.255.255.0' /><addr ip='192.168.40.0' mask='255.255.255.0' /><addr ip='172.17.2.10' mask='255.255.255.255' /><addr ip='192.168.2.0' mask='255.255.255.0' /><addr ip='172.17.1.10' mask='255.255.255.255' /><addr ip='10.1.5.0' mask='255.255.255.0' /></split-tunnel-info></ipv4><idle-timeout val='10000' /><auth-timeout val='28800' /></sslvpn-tunnel> 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: ====== 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: GetWebPage(): bRC=1,CT=(text/xml) 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: CSvlauncherDlg::ConnectFortiSslvpn() Called. 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: ConnName =NFH 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: Server =217.17.240.158:10443?4zC1VK31cHNMWDlcMKikQvhjYEuxGRA0aneNdOTD+fEK6TPTegkrK/F2JFYTrsQz4Q9F8Ksup4xksZCPhx+3/DlhU5P6sqiyVPdWWBKTwGG8Jq0Y5RLSFN7GZrinw/Cj6TBwjSiF/4OU4jjvUmPwPghfxcs/vrgVOPEwPwHVh4OPo/RhA8Q8Cy86SJNp25b/X4J3VevliLo9/ukXnj7Etdcas9TlWZf/PkqE0E0w4UvfcBxEULnswSnG8ANJbm12 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: SplitTunnelInfo=10.1.5.0/255.255.255.0,192.168.1.0/255.255.255.0,192.168.10.0/255.255.255.0,192.168.20.0/255.255.255.0,192.168.30.0/255.255.255.0,192.168.50.0/255.255.255.0,192.168.100.0/255.255.255.0,192.168.40.0/255.255.255.0,172.17.2.10/255.255.255.255,192.168.2.0/255.255.255.0,172.17.1.10/255.255.255.255,10.1.5.0/255.255.255.0 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: ExclusiveRouting=0 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: ConnOptionsFlagBits=00000002 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: ProxyInfo= 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: 7684: tunnel_close() called 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: 7684: sock_close() called:-1 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: SSL VPN Tunnel is Disconnected ********* 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: <<<<DoConnect(): bRC=0, ErrorCode=-20199 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: GetWebPage(): URL=FortiClientSslvpnClearCacheUrl/for/WininetLibrary/1/2/3/4/5/6/7/8/9/0/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: ====== 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: <HTML> <HEAD> <META http-equiv="Content-Type" content="text/html; charset=utf-8"> <META HTTP-EQUIV="Pragma" CONTENT="no-cache"> <link href="/style.css?q=ff1adf71b95ffc214660f39ac7405dec" rel="stylesheet" type="text/css"> <script type='text/javascript' src='/remote/fgt_lang?lang=en'></script> </head> <body class="main"> <table class="container" cellpadding="0" cellspacing="0"> <tr> <td><table class="dialog" width=300 align="center" cellpadding="0" cellspacing="0"> <tr> <td><table class="header" cellpadding="0" cellspacing="0"> <tr> <td id="err_title"></td> </tr> </table></td> </tr> <script>document.getElementById('err_title').innerHTML=fgt_lang['error'];</script> <tr> <td class="body" height=100><table class="body"><tr><td id='err_val' title='403' align="center"> <script> var errval_elem=document.getElementById('err_val'); var errval=errval_elem.getAttribute('title').split(','); var err_str = fgt_lang[errval[0]]; if (err_str == undefined) { errval_elem.innerHTML = "some unknown error!<br>"; } else { if (errval.length == 2) { err_str = err_str.replace("%d", errval[1]); } errval_elem.innerHTML = err_str; } </script></td></tr></table></td> </tr> <tr><td> <table class="footer" cellpadding="0" cellspacing="0"> <tr><td> <input id="ok_button" type="button" value="" onclick="chkbrowser()" style="width:80px"> </td></tr> </table> </td></tr> </table> </body> <script language = "javascript"> document.getElementById('ok_button').value=fgt_lang['ok']; function chkbrowser() { if (window.location.pathname == "/remote/login") window.location.reload(); else window.location.href = "/remote/login";} </script> </html> 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: ====== 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: GetWebPage(): bRC=1,CT=(text/html) 29/10/2019 11:27:26 PM Error VPN id=96603 user=Mahmood msg="SSLVPN tunnel connection failed (Error=-20199)." remotegw=217.17.240.158 vpnstate=connected vpntunnel=NFH vpntype=ssl vpnuser=mfraidoon 29/10/2019 11:27:31 PM Notice VPN date=2019-10-29 time=23:27:30 logver=1 type=traffic level=notice sessionid=1983349504 hostname=DESKTOP-PAPPKCH pcdomain= uid=743CD24DC69A4CF3BC8176D17C1BA348 devid=FCT8003027578809 fgtserial=N/A emsserial=N/A regip=N/A srcname=sslvpn srcproduct=N/A srcip=172.21.10.1 srcport=N/A direction=outbound dstip=217.17.240.158 remotename=N/A dstport=10443 user=mfraidoon proto=6 rcvdbyte=25769808684 sentbyte=25769819030 utmaction=passthrough utmevent=vpn threat=disconnect vd=N/A fctver=6.2.0.0780 os="Microsoft Windows 10 Professional Edition, 64-bit (build 10240)" usingpolicy="" service= url=N/A userinitiated=0 browsetime=N/A 29/10/2019 11:27:31 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): Wait(hEventOverLapped) OK. 29/10/2019 11:27:31 PM Debug VPN FortiSslvpn: before ConnectNamedPipe 29/10/2019 11:27:31 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): rc=0, err=997 29/10/2019 11:27:31 PM Debug VPN FortiSslvpn: _ReceiveMessage: (000006C0) 29/10/2019 11:27:31 PM Debug VPN FortiSslvpn: Broken pipe! Client is exited (3). 29/10/2019 11:27:31 PM Information VPN id=96600 user=Mahmood msg="SSLVPN tunnel status" vpnstate=connected vpntype=ssl 29/10/2019 11:27:41 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): Wait(hEventOverLapped) OK. 29/10/2019 11:27:41 PM Debug VPN FortiSslvpn: before ConnectNamedPipe 29/10/2019 11:27:41 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): rc=0, err=997 29/10/2019 11:27:41 PM Debug VPN FortiSslvpn: _ReceiveMessage: (00000634) 29/10/2019 11:27:41 PM Debug VPN FortiSslvpn: Broken pipe! Client is exited (3). 29/10/2019 11:27:51 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): Wait(hEventOverLapped) OK. 29/10/2019 11:27:51 PM Debug VPN FortiSslvpn: before ConnectNamedPipe 29/10/2019 11:27:51 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): rc=0, err=997 29/10/2019 11:27:51 PM Debug VPN FortiSslvpn: _ReceiveMessage: (000005E8) 29/10/2019 11:27:51 PM Debug VPN FortiSslvpn: Broken pipe! Client is exited (3). 29/10/2019 11:28:01 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): Wait(hEventOverLapped) OK. 29/10/2019 11:28:01 PM Debug VPN FortiSslvpn: before ConnectNamedPipe 29/10/2019 11:28:01 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): rc=0, err=997 29/10/2019 11:28:01 PM Debug VPN FortiSslvpn: _ReceiveMessage: (00000698) 29/10/2019 11:28:01 PM Debug VPN FortiSslvpn: Broken pipe! Client is exited (3). 29/10/2019 11:28:11 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): Wait(hEventOverLapped) OK. 29/10/2019 11:28:11 PM Debug VPN FortiSslvpn: before ConnectNamedPipe 29/10/2019 11:28:11 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): rc=0, err=997 29/10/2019 11:28:11 PM Debug VPN FortiSslvpn: _ReceiveMessage: (000005DC) 29/10/2019 11:28:11 PM Debug VPN FortiSslvpn: Broken pipe! Client is exited (3). 29/10/2019 11:28:21 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): Wait(hEventOverLapped) OK. 29/10/2019 11:28:21 PM Debug VPN FortiSslvpn: before ConnectNamedPipe 29/10/2019 11:28:21 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): rc=0, err=997

still no idea what to do

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded