Skip to main content
Usidiq
Usidiq
New Member
April 27, 2018
Question

My VPN connection keeps disconnecting from server.

  • April 27, 2018
  • 3 replies
  • 24358 views

Hello 

I am using Forticlient for VPN connection to our office server on MAC OS HIGH SEIRRA version 10.13.4.

After my connection to server VPN automatically disconnects every 13-15 seconds with error codes 104 and later 110 and then reconnects again. As such i am not able to work. I feel that i may not have configured VPN properly, as such following is the  configuration script as retrieved from Forticlient:-

 

<?xml version="1.0" encoding="UTF-8"?> <forticlient_configuration> <forticlient_version>5.6.1.0723</forticlient_version> <version>5.6</version> <date>2018-4-26</date> <os_version>MacOSX</os_version> <partial_configuration>0</partial_configuration> <system> <log_settings> <level>6</level> <max_log_size>10000000</max_log_size> <log_events>ipsecvpn,sslvpn,update</log_events> <remote_logging> <log_protocol>faz</log_protocol> <log_upload_enabled>0</log_upload_enabled> <log_upload_server></log_upload_server> <netlog_server></netlog_server> <log_upload_freq_hours>0</log_upload_freq_hours> <log_upload_freq_minutes>60</log_upload_freq_minutes> <log_upload_ssl_enabled>1</log_upload_ssl_enabled> <netlog_categories>7</netlog_categories> <log_retention_days>90</log_retention_days> </remote_logging> </log_settings> <proxy> <type>0</type> <address></address> <port>0</port> <username></username> <password>Enc 420d2ee65abded897a69c50f4995397969f1c1f949055d8e51</password> <update>0</update> </proxy> <update> <use_custom_server>0</use_custom_server> <server></server> <port></port> <failoverport></failoverport> <fail_over_to_fdn>1</fail_over_to_fdn> <update_action>notify_only</update_action> <scheduled_update> <enabled>1</enabled> <type>interval</type> <update_interval_in_hours>1</update_interval_in_hours> </scheduled_update> <minimum_fct_version> <mac_os></mac_os> </minimum_fct_version> </update> <ui> <password>Enc 420d2ee65abded897a69c50f49955d5cb40971588e2ea7fd9c4daeaab82a79ce37e08664a4bdce9d38b1eaef9d2313ec1d20e2eaccbf0b8a50</password> <default_tab>VPN</default_tab> <culture_code>os-default</culture_code> <ads>1</ads> <replacement_messages> <quarantine> <title><![CDATA[]]></title> <statement><![CDATA[]]></statement> <remediation><![CDATA[]]></remediation> </quarantine> </replacement_messages> <avatars> <enabled></enabled> <providers> <google> <clientid><![CDATA[]]></clientid> <clientsecret><![CDATA[]]></clientsecret> </google> <linkedin> <clientid><![CDATA[]]></clientid> <clientsecret><![CDATA[]]></clientsecret> <redirecturl><![CDATA[]]></redirecturl> </linkedin> <salesforce> <clientid><![CDATA[]]></clientid> <clientsecret><![CDATA[]]></clientsecret> <redirecturl><![CDATA[]]></redirecturl> </salesforce> </providers> </avatars> </ui> <certificates></certificates> <os_allowed></os_allowed> </system> <antivirus> <real_time_protection> <signatures_up_to_date></signatures_up_to_date> <fct_signatures> <av></av> </fct_signatures> </real_time_protection> </antivirus> <vpn> <options> <autoconnect_tunnel></autoconnect_tunnel> <autoconnect_only_when_offnet>0</autoconnect_only_when_offnet> <keep_running_max_tries>0</keep_running_max_tries> <allow_personal_vpns>1</allow_personal_vpns> <disable_connect_disconnect>0</disable_connect_disconnect> </options> <ipsecvpn> <options> <enabled>1</enabled> <block_ipv6>1</block_ipv6> </options> <connections> <connection> <name>ERP_VPN</name> <type>manual</type> <ike_settings> <prompt_certificate>0</prompt_certificate> <description></description> <server>vpn.powergrid.in</server> <authentication_method>Preshared Key</authentication_method> <auth_key>Enc 420d2ee65abded897a69c50f4995397969f1c1f949055d8e51</auth_key> <mode>aggressive</mode> <dhgroup>5</dhgroup> <key_life>86400</key_life> <localid>3</localid> <nat_traversal>1</nat_traversal> <mode_config>1</mode_config> <enable_local_lan>0</enable_local_lan> <dpd>0</dpd> <xauth> <enabled>1</enabled> <prompt_username>1</prompt_username> <username>Enc 420d2ee65abded897a69c50f4995397969f1c1f949055d8e51</username> <password>Enc 420d2ee65abded897a69c50f4995397969f1c1f949055d8e51</password> </xauth> <proposals> <proposal>AES128|SHA1</proposal> <proposal>AES256|SHA256</proposal> </proposals> <fgt>0</fgt> </ike_settings> <ipsec_settings> <remote_networks> <network> <addr>0.0.0.0</addr> <mask>0.0.0.0</mask> </network> <network> <addr>::</addr> <mask>0</mask> </network> <network> <addr>::</addr> <mask>0</mask> </network> </remote_networks> <dhgroup>5</dhgroup> <key_life_type>seconds</key_life_type> <key_life_seconds>43200</key_life_seconds> <pfs>1</pfs> <use_vip>1</use_vip> <virtualip> <type>modeconfig</type> <ip></ip> <mask></mask> <dnsserver></dnsserver> </virtualip> <proposals></proposals> </ipsec_settings> <on_connect> <script> <os>mac</os> <script></script> </script> </on_connect> <on_disconnect> <script> <os>mac</os> <script></script> </script> </on_disconnect> <keep_running>0</keep_running> <ui> <show_passcode>0</show_passcode> <show_remember_password>0</show_remember_password> <show_alwaysup>0</show_alwaysup> <show_autoconnect>0</show_autoconnect> </ui> </connection> </connections> </ipsecvpn> <sslvpn> <options> <enabled>1</enabled> </options> <connections></connections> </sslvpn> </vpn> <endpoint_control> <enable_enforcement></enable_enforcement> <enabled>1</enabled> <system_data>Enc 420d2ee65abded897a69c50f49955409e6327b0cdc27a6a8954bfdaaa32e58b339e2f71caab192ca67bceaed9c0757b71bf0fe0f499e761cad88dbe8bbeb84ae0cc83a775077c3dbd76adde59702f889be046283ae7f3db83607dd632dc6c32c172d4445421123f0f170f5c3998700ff916b447d73e1458362d1557f3224</system_data> <checksum></checksum> <custom_ping_server>:0</custom_ping_server> <log_last_upload_date></log_last_upload_date> <conf_recv_time>0</conf_recv_time> <fgt_logoff_on_fct_shutdown>0</fgt_logoff_on_fct_shutdown> <fortigates></fortigates> <ui> <display_antivirus>0</display_antivirus> <display_webfilter>0</display_webfilter> <display_firewall>0</display_firewall> <display_vpn>1</display_vpn> <display_vulnerability_scan>1</display_vulnerability_scan> <registration_dialog> <show_profile_details>1</show_profile_details> </registration_dialog> <hide_compliance_warning>0</hide_compliance_warning> </ui> <silent_registration>0</silent_registration> <disable_unregister>0</disable_unregister> <alerts> <notify_server>1</notify_server> <alert_threshold>1</alert_threshold> </alerts> <onnet_addresses></onnet_addresses> <onnet_mac_addresses></onnet_mac_addresses> <notification_server> <address>:0</address> <registration_password>Enc 420d2ee65abded897a69c50f4995397969f1c1f949055d8e51</registration_password> </notification_server> <show_bubble_notifications>1</show_bubble_notifications> <avatar_enabled>1</avatar_enabled> </endpoint_control> <vulnerability_scan> <enabled>1</enabled> <scan_on_fgt_registration>0</scan_on_fgt_registration> <scan_on_signature_update>1</scan_on_signature_update> <windows_update>1</windows_update> <scheduled_scans> <schedule> <repeat></repeat> <type></type> <day></day> <time></time> </schedule> </scheduled_scans> <lowest_level_enforced>critical</lowest_level_enforced> <days_allowed>1</days_allowed> <auto_patch> <level>critical</level> </auto_patch> <exempt_manual>0</exempt_manual> <exemptions> <exemption></exemption> </exemptions> <exempt_no_auto_patch>0</exempt_no_auto_patch> </vulnerability_scan> <fssoma> <enabled>0</enabled> <serveraddress>:8001</serveraddress> <presharedkey>Enc 420d2ee65abded897a69c50f4995397969f1c1f949055d8e51</presharedkey> </fssoma> </forticlient_configuration>

 

The configuration file of Forticlient which works properly on Windows OS is as follows:-

 

<?xml version="1.0" encoding="UTF-8" ?> <forticlient_configuration> <forticlient_version>5.6.1.1115</forticlient_version> <version>5.6.1</version> <date>2017/11/09</date> <partial_configuration>0</partial_configuration> <os_version>windows</os_version> <system> <ui> <disable_backup>0</disable_backup> <ads>1</ads> <flashing_system_tray_icon>1</flashing_system_tray_icon> <hide_system_tray_icon>0</hide_system_tray_icon> <suppress_admin_prompt>0</suppress_admin_prompt> <password /> <culture_code>os-default</culture_code> <gpu_rendering>0</gpu_rendering> <replacement_messages> <quarantine> <title> <title> <![CDATA[]]> </title> </title> <statement> <remediation> <![CDATA[]]> </remediation> </statement> <remediation> <remediation> <![CDATA[]]> </remediation> </remediation> </quarantine> </replacement_messages> </ui> <log_settings> <onnet_local_logging>1</onnet_local_logging> <level>6</level> <!--0=emergency, 1=alert, 2=critical, 3=error, 4=warning, 5=notice, 6=info, 7=debug, --> <log_events>ipsecvpn,sslvpn,scheduler,update,firewall,shield,endpoint,configd,vuln</log_events> <!--ipsecvpn=ipsec vpn, sslvpn=ssl vpn, firewall=firewall, av=antivirus, sandboxing=sandboxing, webfilter=webfilter, vuln=vulnerability scan, wanacc=wan acceleration, fssoma=single sign-on mobility for fortiauthenticator, scheduler=scheduler, update=update, proxy=fortiproxy, shield=fortishield, endpoint=endpoint control, configd=configuration, --> <remote_logging> <log_upload_enabled>0</log_upload_enabled> <log_upload_server /> <log_upload_ssl_enabled>1</log_upload_ssl_enabled> <log_retention_days>90</log_retention_days> <log_upload_freq_minutes>60</log_upload_freq_minutes> <log_generation_timeout_secs>900</log_generation_timeout_secs> <netlog_categories>7</netlog_categories> <log_protocol>faz</log_protocol> </remote_logging> </log_settings> <update> <use_custom_server>0</use_custom_server> <server /> <port>80</port> <timeout>60</timeout> <failoverport /> <fail_over_to_fdn>1</fail_over_to_fdn> <use_proxy_when_fail_over_to_fdn>1</use_proxy_when_fail_over_to_fdn> <auto_patch>0</auto_patch> <submit_virus_info_to_fds>1</submit_virus_info_to_fds> <submit_vuln_info_to_fds>1</submit_vuln_info_to_fds> <!-- update_action applies to software updates only and can be one of: notify_only, download_and_install, download_only, disable --> <update_action>notify_only</update_action> <scheduled_update> <enabled>1</enabled> <type>interval</type> <daily_at>01:44</daily_at> <update_interval_in_hours>1</update_interval_in_hours> </scheduled_update> </update> <certificates> <crl> <ocsp /> </crl> <hdd /> <ca /> </certificates> </system> <endpoint_control> <enabled>1</enabled> <!--Format: <probe_timeout:keep_alive_timeout> in seconds. Default: <1:5>. Note: changing connect timeouts might affect performance.--> <socket_connect_timeouts>1:5</socket_connect_timeouts> <system_data>Enc e0ea4e78412c790a9453bcb700769fc892e4fe8a34875cfde7e14b98ad58a8c087f4e7cadd37b932aca999c782715aabf9e7c239f794c3cd890575013850e27920c42820e47538c1ca5231c49c7ae59a</system_data> <disable_unregister>0</disable_unregister> <disable_fgt_switch>0</disable_fgt_switch> <show_bubble_notifications>1</show_bubble_notifications> <avatar_enabled>1</avatar_enabled> <ui> <display_antivirus>0</display_antivirus> <display_webfilter>0</display_webfilter> <display_firewall>0</display_firewall> <display_vpn>1</display_vpn> <display_vulnerability_scan>1</display_vulnerability_scan> <display_sandbox>0</display_sandbox> <display_compliance>1</display_compliance> <hide_compliance_warning>0</hide_compliance_warning> <registration_dialog> <show_profile_details>1</show_profile_details> </registration_dialog> </ui> <onnet_addresses> <address /> </onnet_addresses> <onnet_mac_addresses> <address /> </onnet_mac_addresses> <alerts> <notify_server>1</notify_server> <alert_threshold>1</alert_threshold> </alerts> <fortigates> <fortigate> <serial_number /> <name /> <registration_password /> <addresses /> </fortigate> </fortigates> <local_subnets_only>0</local_subnets_only> <notification_server /> <nac> <processes> <process id=""> <signature name="" /> </process> </processes> <files> <path id="" /> </files> <registry> <path id="" /> </registry> </nac> </endpoint_control> <vpn> <options> <autoconnect_tunnel /> <autoconnect_only_when_offnet>0</autoconnect_only_when_offnet> <keep_running_max_tries>0</keep_running_max_tries> <disable_internet_check>0</disable_internet_check> <save_password>0</save_password> <minimize_window_on_connect>1</minimize_window_on_connect> <allow_personal_vpns>1</allow_personal_vpns> <disable_connect_disconnect>0</disable_connect_disconnect> <show_vpn_before_logon>0</show_vpn_before_logon> <use_windows_credentials>1</use_windows_credentials> <use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon> <show_negotiation_wnd>0</show_negotiation_wnd> <vendor_id /> </options> <sslvpn> <options> <enabled>1</enabled> <prefer_sslvpn_dns>1</prefer_sslvpn_dns> <dnscache_service_control>0</dnscache_service_control> <!--0=disable dnscache service, 1=do not touch dnscache service, 2=restart dnscache service, 3=sc control dnscache paramchange--> <use_legacy_ssl_adapter>0</use_legacy_ssl_adapter> <preferred_dtls_tunnel>0</preferred_dtls_tunnel> <no_dhcp_server_route>0</no_dhcp_server_route> <no_dns_registration>0</no_dns_registration> <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate> </options> <connections /> </sslvpn> <ipsecvpn> <options> <enabled>1</enabled> <beep_if_error>0</beep_if_error> <usewincert>1</usewincert> <use_win_current_user_cert>1</use_win_current_user_cert> <use_win_local_computer_cert>1</use_win_local_computer_cert> <block_ipv6>1</block_ipv6> <uselocalcert>0</uselocalcert> <usesmcardcert>1</usesmcardcert> <enable_udp_checksum>0</enable_udp_checksum> <disable_default_route>0</disable_default_route> <show_auth_cert_only>0</show_auth_cert_only> <check_for_cert_private_key>0</check_for_cert_private_key> <enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory> </options> <connections> <connection> <name>ERP_VPN</name> <single_user_mode>0</single_user_mode> <!--when single_user_mode=1 the tunnel cannot be connected if more than one user is logged on the computer--> <type>manual</type> <ui> <show_passcode>0</show_passcode> <show_remember_password>0</show_remember_password> <show_alwaysup>0</show_alwaysup> <show_autoconnect>0</show_autoconnect> <save_username>0</save_username> </ui> <ike_settings> <implied_SPDO>0</implied_SPDO> <implied_SPDO_timeout>0</implied_SPDO_timeout> <prompt_certificate>0</prompt_certificate> <server>vpn.powergrid.in</server> <authentication_method>Preshared Key</authentication_method> <auth_data> <preshared_key>Enc 50501c014e18cf6740a93276539e5dca0e46171eb42a69af2291cb1dba258a96</preshared_key> </auth_data> <mode>aggressive</mode> <dhgroup>5;</dhgroup> <key_life>86400</key_life> <localid>3</localid> <peerid /> <nat_traversal>1</nat_traversal> <mode_config>1</mode_config> <enable_local_lan>0</enable_local_lan> <nat_alive_freq>5</nat_alive_freq> <dpd>0</dpd> <dpd_retry_count>3</dpd_retry_count> <dpd_retry_interval>5</dpd_retry_interval> <enable_ike_fragmentation>0</enable_ike_fragmentation> <xauth> <enabled>1</enabled> <prompt_username>1</prompt_username> <username>Enc 5c92945ce4123cadaa3c78d6b7f0a03e1b83d006b14ddbd0</username> <password /> </xauth> <proposals> <proposal>AES128|SHA1</proposal> <proposal>AES256|SHA256</proposal> </proposals> </ike_settings> <ipsec_settings> <remote_networks> <network> <addr>0.0.0.0</addr> <mask>0.0.0.0</mask> </network> <network> <addr>::/0</addr> <mask>::/0</mask> </network> </remote_networks> <dhgroup>5</dhgroup> <key_life_type>seconds</key_life_type> <key_life_seconds>43200</key_life_seconds> <key_life_Kbytes>5120</key_life_Kbytes> <replay_detection>1</replay_detection> <pfs>1</pfs> <use_vip>1</use_vip> <virtualip> <type>modeconfig</type> <ip>0.0.0.0</ip> <mask>0.0.0.0</mask> <dnsserver>0.0.0.0</dnsserver> <winserver>0.0.0.0</winserver> </virtualip> <proposals> <proposal>AES128|SHA1</proposal> <proposal>AES256|SHA1</proposal> </proposals> </ipsec_settings> <on_connect> <script> <os>windows</os> <script> <!--Write MS DOS batch script inside the CDATA tag below.--> <!--One line per command, just like a regular batch script file.--> <!--The script will be executed in the context of the user that connected the tunnel.--> <!--Wherever you write #username# in your script, it will be automatically substituted with the xauth username of the user that connected the tunnel.--> <!--Wherever you write #password# in your script, it will be automatically substituted with the xauth password of the user that connected the tunnel.--> <!--Remember to check your xml file before deploying to ensure that carriage returns/line feeds are present.--> <![CDATA[]]> </script> </script> </on_connect> <on_disconnect> <script> <os>windows</os> <script> <!--Write MS DOS batch script inside the CDATA tag below.--> <!--One line per command, just like a regular batch script file.--> <!--The script will be executed in the context of the user that connected the tunnel.--> <!--Wherever you write #username# in your script, it will be automatically substituted with the xauth username of the user that connected the tunnel.--> <!--Wherever you write #password# in your script, it will be automatically substituted with the xauth password of the user that connected the tunnel.--> <!--Remember to check your xml file before deploying to ensure that carriage returns/line feeds are present.--> <![CDATA[]]> </script> </script> </on_disconnect> </connection> </connections> </ipsecvpn> </vpn> <vulnerability_scan> <enabled>1</enabled> <scan_on_registration>0</scan_on_registration> <scan_on_signature_update>1</scan_on_signature_update> <windows_update>1</windows_update> <auto_patch></auto_patch> <scheduled_scans></scheduled_scans> </vulnerability_scan> </forticlient_configuration>

 

If someone can help i will be very thankful i have tried everything and failed.

    3 replies

    SteveG
    SteveG
    New Member
    May 1, 2018

    Do you manage the FortiClients using EMS?

     

    You could also try using the native IPSec VPN client on the Mac as it's supports Fortigates.

    Joakim_Nordin
    Joakim_Nordin
    New Member
    May 4, 2018

    I have the same problem after upgrading FortiClient from 5.4.3 to 5.6.6 using SSL VPN.

    Works on 5.4.3, doesn't work on 5.6.6. And it's the FortiClient who disconnects the user ungracefully. After 5 minutes (which is my idle timeout setting on the FW) plus about 12-ish seconds, which is the time the client manages to stay connected to the VPN, I get an idle timeout in my firewall log. Tried uninstalling and then reinstalling the 5.6.6 MSI, but with same results.

    Strangely, if I use the FortiClientSetup_5.6.6.1167.exe version, it seems to work though. Not sure why this is the case. The simple solution would be to distribute the .exe of course, but the guy who handles our SCCM for file distribution wants to use the MSI version.

     

    Anyway, still searching for an answer to what the actual problem is.

    Nenad
    Nenad
    New Member
    October 17, 2018

    Hi guys.

     

    I have experienced this problem with Dell laptop on Win10. It is on the notorious Intel 3165 wireless adapted (which I have updated to the latest version).

    On FortiClient 6.0.2 it stays connected for approx. 25 sec. and then drops.

    I have installed FortiClient 5.4.1 (which I currently use) and the connection drops after 2-2:30 min.

    I am not able to ping the destination hosts, while on any other computer it works.

    (We are using SSLVPN)

     

    Client computer is on a home network, no restrictions with regards to Internet access.

    Windows firewall on or off doesnt make a difference.

     

    I am stuck.

    Any suggestions please?

     

    Thanks.

    SteveG
    SteveG
    New Member
    October 17, 2018

    Do you experience the same drops using a wired connection?

    StasMa
    StasMa
    New Member
    November 5, 2019
    When making a callout to web service that is connected through a VPN, it may throw System.CalloutException. ResolutionTo make a call out to web service that is connected through a VPN you need to expose an IP/Port to the public internet. We cannot set up a direct VPN tunnel from SFDC.  You will have to use IP Whitelisting and Client Certificate, to secure the connection. The port is whatever they want incase a port needs to be opened. it doesn't need to be port 443 . You could put it on a non-standard port if they want to obfuscate it more. It's just a public endpoint that is secured with IP Whitelisting and client cert from customer's end. Below are the links for more details :  Your service has to be accessible from the public Internet, because you can't access VPN from salesforce. That said, there are many ways to secure your services from unintentional or malicious outside transactions.
    Terms & ConditionsAccessibility statement