Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
KumarV
Staff
Staff

Created on ‎08-05-2024 07:16 AM

Article Id 330579

Troubleshooting Tip: How to Troubleshoot the issue of Intermittent packet drops over SSL VPN

Description

This article describes the steps to troubleshoot an issue with intermittent packet drops over SSL VPN using a scenario where FortiClient software is installed in the Client's PC and is trying to reach a server connected in the company's internal network behind a FortiGate.

 

The following is the screenshot from the clients machine trying to ping to 10.5.5.64 and getting replies of 1 packet out of 10.

 

new_kb_1.JPG

 
Scope FortiGate.
Solution

Step 1: Start a continuous Ping from the Client machine after connecting to SSL VPN using FortiClient and run a sniffer as shown in the picture below:

 

image (3).png

 

The results indicate that no traffic is reaching to Fortigate from Client machine.

 

At this point, there could be two reasons for traffic not arriving at the FortiGate.

 

The first possible reason is the Client machine may not be connected to SSL VPN. The second possible reason is that the client machine may not have a route to 10.5.5.64 through the tunnel Interface.

The steps taken above have already ensured that the PC is connected to SSL VPN.

 

Step 2: Open the Command line on the user machine and check the routing table by running the command 'route print' as shown below:

 

image (4).png

 

These results indicate that there are two routes reaching 10.5.5.64. One is being injected by FortiGate SSL VPN (10.5.0.0 with interface 192.168.52.2 with Metric 1) and the other is added by the Wi-Fi adapter of the Client's PC (10.5.5.0 with Interface 192.168.1.7 with Metric 56).

 

The routing table will always use the more specific route from the routing table despite having a high metric Value. In this case, the route coming from the Wi-Fi adapter is preferred over the route added by the VPN.

 

The Network Admin needs to check the Wi-Fi settings to find out the reason for injecting that route into the routing table. One possible reason is that the same subnet may be being used in a Wi-Fi network, which can lead to overlapping subnets.

 

Users can face this issue specifically in Dell machines, as explained in the article attached at the end. See this article for details on how to address this issue.

 

The command 'route DELETE <0.0.0.0><subnet mask>' can be used to temporarily delete the route coming from Wi-Fi on the Client’s machine to check the results as shown below:

 

image (5).png

 

Results after running the command again:

 

image (6).png

 

Related article:

Technical Tip: Extra route in Windows routing table when connecting to SSL-VPN.
210
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.