Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
FortiArt
Staff
Staff

Created on ‎12-12-2024 10:43 PM

Article Id 363044

Technical Tip: Slow Initial DialUp IPsec VPN Connection for Remote Users Using FortiClient

Description This article describes some of the possible root causes for the slow initial DialUp IPsec VPN connection for remote users using FortiClient. In addition to things to be checked to confirm the problem.
Scope FortiGate.
Solution

Introduction:

When the remote users connect to a DialUp IPsec VPN using FortiClient, the connection traffic flow is processed using the public IP addresses of the remote user's PC and the FortiGate's public IP address. A private IP address is assigned to the remote user's PC only after successfully connecting to the DialUp IPsec VPN.

 

Problem:

In some cases, the remote connection process to the DialUp IPsec VPN is slow and may take time more than expected. For example, the connection may take about 30-45 seconds to connect successfully. There could be many root causes of this problem, however, this article provides two ways to approach the problem and the possible solutions.

 

Solution:

First approach to the problem:

 

  1. Use the CLI on FortiGate to run the sniffer command (S.S.S.S = public IP address of the remote user):

    diagnose sniffer packet any 'host S.S.S.S and icmp' 4 

  2. Ask the remote user to initiate ping requests for 1 or 2 minutes (D.D.D.D = FortiGate's public IP address. Note: Make sure the public interface which has D.D.D.D IP address has ping enabled and there is no trusted host and no Local-in policy set).

    ping D.D.D.D 

  3. Count how many ping requests/replies are received/sent on FortiGate compared to the source PC pings.

 

Note: If there are missing pings, i.e., packet drops, this could be a possible root cause for the delayed connection. If FortiGate received 'n' ping requests, sent 'n' ping replies and there are missing replies on the source PC, this means the drops are on the return path. This could be a result of an upstream switch between FortiGate and the ISP modem, if any, or a routing problem on any Internet routers processing the ping replies.

 

The second approach to the problem:

 

Check the authentication source for the remote users connecting to the DialUp IPSec VPN on FortiGate. For example, check if the authentication source is local users, LDAP, or Radius, etc. If the authentication source is a remote authentication server such as (LDAP/RADIUS/etc.), then check how it is configured. For example, check if the user's search path is configured and if there is a specific group(s) to match on the remote authentication server.

 

To further confirm if the above is the root cause create a local user and add the user to the DialUp IPSec VPN source group. Try to connect to the DialUp IPSec VPN using the newly created local user. If the remote connection is fast, this confirms that the remote authentication source is not configured properly. In this case, consider adding group(s) match on the specific remote authentication server groups on FortiGate. 

 

Note: There could be other root causes for the slow connection to the DialUp IPSec VPN other than the ones mentioned in this article.
77
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.