New Member

Question

Random FortiClient (IPsec VPN) disconnects

Forum|Forum|6 years ago
April 24, 2020
7 replies
74395 views

Hi everyone

Some of our user's FortiClient IPsec VPN connection (Windows 10 x64, FortiClient 6.0.9, FortiGate 6.0.9) drops numerous times a day. Some users have to reconnect more than 10 times a day. The connection simply drops while they are working, and for no apparent reason as applications such as Skype, Teams etc. remain online. Even if there was packet loss for a moment, it must have been very brief.

This does not affect all of of our users. For the majority of our users the FortiClient connection is pretty stable. In my experience, the quality of the Internet link makes a big difference. I have experienced frequent disconnects myself on my ADSL home Internet link whereas I don't experience any disconnects anymore now that I am on fibre. All workstations are set up using an image and are therefore identical in the way they are configured. So I don't think the problem lies there.

All users connect to the same IPsec dialup tunnel (ike=1, authentication=psk, mode=aggressive, lifetime=86400/43200, dpd-retrycount=3, dpd-retryinterval=15) and since this is not affecting everyone, I guess we can rule out an issue on the FortiGate too. This therefore points to the FortiClient itself.

Is anyone else experiencing this? Are there any recommendations to make the FortiClient more resilient in this regard? This issue has been bugging us for almost three years. We have started with FortiGate/FortiClient 5.4.x and upgrading to different versions (which is something Support always likes to suggest) has made zero difference. I have opened another ticket with Support a few weeks ago but there has not been any progress so far.

I would appreciate your input on this. Thank you.

Kind Regards

Stefan

st3fanAuthor

New Member

Any comments, suggestions etc. from anyone?

Thanks,

Stefan

tanr

New Member

I haven't run into this myself, but we only use FortiClient SSL VPN for a couple clients (on 6.0.9).

What do the FortiGates VPN logs look like for those disconnects? Since it sounds like the same users keep having issues, hopefully you can collect some useful logs on this. References:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD46611

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/340035/troubleshooting#The2

From what you're saying, it sounds like something about the ISP line is effecting it, so would be useful to collect data from the users with issues, like are they all PPPoE with smaller MTUs, have odd port-forwarding set up, doulbe-NAT, etc.

If you can get some sanitized logs and common network details of the users with problems hopefully TAC or someone here with more knowledge than me could point you in the right direction.

st3fanAuthor

New Member

Thanks for your comments!

I have spent the last few weeks troubleshooting this issue with FortiGate Support and they have confirmed that it is not the FortiGate that is causing these issues. It seems the FortiClient is sending an "IPsec ISAKMP SA delete" to the FortiGate - which then terminates the connection. It does not make sense to me as our users are busy working and then suddenly the connection drops. Support was unable to determine why this keeps happening and they advised to get FortiClient support licenses so that FortiClient Support can investigate.

I do think that the ISP line does play a role here. Why else would users on a very stable (e.g. fibre) Internet link have no problem whatsoever and users who connect via e.g. mobile hotspot or ADSL lose connection so frequently. I don't know, it just does not make sense to me but I am also concerned that spending money on FortiClient EMS (which as far as I understand is required for FortiClient Support - and at this stage we wouldn't even be interested in all these additional features) is not going to lead to any solution either.

mtl83

Visitor III

I am having this issue in my organisation also. Frequent disconnects affecting vast majority of staff, despite consistent and good ping, zero packet loss and low jitter.

st3fanAuthor

New Member

I tested the paid FortiClient version today. There is a setting called "always up" which solves these problems. I repeated the tests mentioned above and pulled the network cable for a minute or so. The VPN connection did not drop. So I guess they make one pay for a reliable solution.

Mahmoud_Reda

New Member

Hello,

I am facing a similar issue. before changing my ISP (due to moving to a new apartment) IPSEC vpn & SSL VPN were working fine without any issue. just after I changed my ISP , IPSEC VPN disconnects every time almost after 10 seconds after being connected , SSL VPN is stable and working fine. so I am almost pretty sure that it is an ISP issue. Does anyone find a solution to this issue rather than purchasing the paid forticlient version ? Thank you in advance Best Regards

vijaysivakumar

New Member

where is "Always up" setting ?

oxsigen

New Member

I have the same problem.
ipsec vpn disconnects after 10 seconds of connecting

goestin

New Member

Bump

labsolution

New Member

Same issue here in case of high latency users. Should not happen or a solution should be available.

Chua_Augustine

Explorer II

We encountered similar issue too. We use email OTP verification as an added security measure, but sometime users don't receive the OTP email. Occasionally, even after successfully connected, the connection drops after just a few minutes. Although we set a time limit of 4 hours session, the session sometimes ends prematurely before reaching the limit.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded