Help
FortiSASE
FortiSASE delivers both a consistent security posture and an optimal user experience for users working from anywhere. Secure your hybrid workforce by closing security gaps, plus simplify operations.
sjoshi
Staff
Staff

Created on ‎09-29-2025 11:56 AM

Article Id 413133

Troubleshooting Tip: Internet Connectivity Issue in Endpoint even after disconnecting FortiSASE VPN

Description

 

This article describes how to troubleshoot internet connectivity issues on endpoints when the internet remains inaccessible even after disconnecting from FortiSASE VPN.

 

Scope

 

FortiSASE.

 

Solution

 

When the FortiSASE VPN is connected the internet connection goes through the FortiSASE infra but once the VPN is disconnected then the internet traffic goes via the local router. Even though the internet connection of local router is fine still the internet is not working from the endpoint.

 

Ping tests to 8.8.8.8 were initially successful for a few seconds, but subsequent attempts failed.

 

a.PNG

 

Traceroute results do not indicate reaching the default gateway, suggesting that the issue originates from the endpoint itself.

 

a.PNG

 

The internet starts working once the FortiSASE telemetry connection is disconnected.

 

Review the FortiSASE endpoint profile to verify whether the Network Lockdown feature is enabled.

First, verify which endpoint profile is mapped to the user’s PC.

 

Go to Monitoring -> Status -> Endpoints

 

a.PNG

 

The above image shows that the endpoint tachyon-kvm03 is matching the Windows Endpoint Profile.

 

Go to Endpoint Management -> Profiles -> Windows.

 

a.PNG

 

It is observed that the Network Lockdown feature is enabled.

 

a.PNG

 

On the FortiClient Endpoint, the error 'Device has network restrictions. Please connect to a VPN' can be seen, indicating that the User PC has been put on lockdown and needs to connect to the VPN for internet access.

 

a.PNG

 

The Endpoint Profile specifies: 'Unless the endpoint is connected to a tunnel, all traffic is blocked after a grace period.' This explains why internet access worked initially and was subsequently blocked once the grace period expired, unless the user connects to the VPN. If the VPN connection fails, the grace period resets and begins again. Additionally, certain destinations can be exempted from the Network Lockdown feature.

Network Lockdown is activated only when an endpoint is off-net. Administrators should carefully configure on-net rule sets to prevent unintended behavior.

 

When a VPN connection is attempted, the grace period is reset, and network lockdown is temporarily lifted, allowing internet access regardless of whether the VPN successfully connects. If the VPN is not established within the renewed grace period, network lockdown is reactivated on the endpoint, restricting internet access.

 

a.PNG

183
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.