FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jalejoFTNT
Staff
Staff
Article Id 330337
Description

This article describes how to avoid losing internet connectivity while attempting to connect to a VPN using FortiClient with 2FA.

 

During a VPN connection using FortiClient with 2FA, it is probable to lose internet connectivity.

Scope FortiGate, FortiClient, FortiEMS.
Solution
  1. Go to the FortiClient settings page. 

 

KB FCT VPN 1.png

 

  1. Select the Backup button:

    KB FCT VPN 2.png

     

     

  2. Enter a filename and location in the 'Save As' window.

     

  3. Ensure that the 'Include user settings' check is enabled.

  4. Enter a password in the 'Password' field. Enter the password again in the 'Confirm' field to ensure to type it correctly and select the 'OK' button.
    Note: Remember this password, because it is necessary to enter it correctly when restoring the backup file.

     

    KB FCT VPN 3.png

     

  5. Open the config file in a text editor such as Notepad ++ and find the connection name (in this example, FTNT is the connection name).

    Scroll down until the 'ike_settings' section and find <implied_SPDO> item.

    Change value from 0 to 1. 

     

    <connection>
    <name>FTNT</name>
    <single_user_mode>0</single_user_mode>
    <machine>0</machine>
    <type>manual</type>
    <ui>
    <show_passcode>0</show_passcode>
    <show_remember_password>0</show_remember_password>
    <show_alwaysup>0</show_alwaysup>
    <show_autoconnect>0</show_autoconnect>
    <save_username>0</save_username>
    </ui>
    <ike_settings>
    <version>1</version>
    <implied_SPDO>1</implied_SPDO>

    <implied_SPDO_timeout>60</implied_SPDO_timeout>

 

Note:

implied_SPDO_Timeout Is the timeout in seconds to allow all outbound traffic for the duration configured.

 

  1. Save changes and close the file.

  2. On FortiClient, to load the file that was modified, select the 'Restore' button.

  3. Choose the file desired to be restored 'Open' window.

  4. Enter the password associated with the file.

  5. FortiClient confirms that the configuration is restored. Select OK.

  6. Next, a VPN connection attempt should not lose internet connectivity. If so, open a TAC ticket in the Support Portal.

Note: This procedure only applies to the FortiClient where the configuration was made. To make the change for several FortiClients,  configure it from the FortiEMS console.

 

  1. Select 'Endpoint Profiles --> Remote Access --> Edit the desired profile' and then select 'XML'.
                                                   Remote_Access.PNG                              
  2. Then select 'Edit'.
                                                           
    Edit.PNG                                                                       
  3. Scroll down until the 'ike_settings' section and find <implied_SPDO> item.

    Change the value from 0 to 1.
                                                         

    Save.PNG                                                         
  4. Select 'Save' and wait for the next Telemetry with the FortiClients.

 

Related documents:

IKE settings 

PC losing internet connectivity while using FortiClient