FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 286345
Description This article describes how to troubleshoot an issue where internet connection is lost after connecting to SSL VPN via FortiClient.
Scope FortiOS, FortiGate, FortiClient.

Some users encounter an issue where, when SSL VPN connections are established via FortiClient, the internet connection disconnects.


  1. Open a Command Prompt window with admin rights; this is important for changing network settings:



  1. Before starting the VPN, enter 'route print' in the Command Prompt to see the network routes.

  2. Look for the entry '' - this is the main internet path. Write down the IP address next to 'gateway' for this entry:




  1. After connecting to the VPN, do another 'route print' command. Note that, in the results displayed, the 'gateway' IP for the '' entry has changed. Take note of the new IP as well.

  2. Now remove the old route with 'route delete'.

  3. Finally, add a new route with 'route add MASK', <gateway IP noted down before connecting to VPN>.

    This should get the regular internet working again while connected to the VPN.


Note: If it is necessary to access the company’s servers, it will be necessary to add a specific route to them.

  • Use the Gateway IP noted after connecting to the SSL VPN FortiClient.
  • It is not necessary to specify the interface or metric.

This usually happens when not using split tunneling on the VPN. Without split tunneling, all traffic will be routed through the VPN because establishing the VPN in this case overwrites the default route.


This means that ALL traffic that does not match any other route on the client will use the new default route and hit the opposite end of the VPN. If there is no policy that allows VPN clients to reach the internet, internet connectivity will no longer be available on the PC.


To resolve this, either create a policy or enable split tunneling.

If the company admins will not configure split tunneling or an internet policy, use a temporary workaround by resetting the routing manually. This has to be done every time once VPN connection is established.


It will then be necessary to delete the default route and set a new one (which gateway can be looked up in the routing table when the VPN is not established). Additionally, set a route to the company subnet over the VPN.


Deleting the default route (and setting a new one) in Windows 10 may require administrator privileges.

Related article:
Technical Tip: Enabling split tunnel feature for SSL-VPN