- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: FortiClient IPSec VPN kills all network connec...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiClient IPSec VPN kills all network connections
Hi all,
I am trying to get my FortiClient IPSec VPN working, but so far without success. I'm using FortiClient 7.0.3.0193 on Windows 10. I have configured the IPSec connection the way the firewall admin told me, but everytime I click on connect it just gets stuck forever at "Status: connecting" without establishing the connection. At the same time, the client kills almost all IPv4 and IPv6 connections from/to my laptop, so I lose all network connectivity until I click on disconnect. The only connection on my laptop that remains online and pingable during the connection phase is the link-local IPv6 address. All other outgoing and incoming pings from and to my machine fail, but as soon as I click disconnect all addresses are pingable and the system goes online again.
At first I thought it was a problem with the credentials so I tested it with identical setting in a Windows 10 VM and there it works perfectly fine. VPN gets established and internet connection remains functional.
What am I missing? I'm thinking it could be some sort of routing issue, perhaps...?
//edit:
I just noticed that the problem only exists when the laptop is connected to my home WiFi. When I connected to my iPhone hotspot instead, it worked immediately. However, the VM I used for testing (mentioned above) is running on the same laptop, so technically it uses the same internet gateway (meaning that it can not be an issue with the router).
Solved! Go to Solution.
Labels:
- Labels:
-
FortiClient
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update on this. Together with my FortiGate Admin we were able to find and resolve the issue. It was caused by a running service from another VPN client I had installed on my laptop (AVM FRITZ!Box). This client installs 3 services in Windows which are always running even when the client itself is terminated:
AVM FRITZ!Fernzugang Cert Service
AVM FRITZ!Fernzugang Client
AVM FRITZ!Fernzugang IKE Service
Stopping these services resolved the issue. I think it was probably the IKE Service which was blocking access to some IPSec modules in the OS.
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyone....?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you please provide me the routing table information(Before and after connecting the Forticlient) during the issue?
Best regards,
ARUNKUMAR.R.
ARUNKUMAR.R.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The routing table does not change during the connection attempt, so I guess it gets stuck before it even reaches this step. The routes are:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.178.1 192.168.178.22 50
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
169.254.0.0 255.255.0.0 On-link 192.168.178.22 51
169.254.0.0 255.255.0.0 On-link 172.17.2.1 36
169.254.0.0 255.255.0.0 On-link 192.168.198.1 36
169.254.255.255 255.255.255.255 On-link 192.168.178.22 306
169.254.255.255 255.255.255.255 On-link 172.17.2.1 291
169.254.255.255 255.255.255.255 On-link 192.168.198.1 291
172.17.2.0 255.255.255.0 On-link 172.17.2.1 291
172.17.2.1 255.255.255.255 On-link 172.17.2.1 291
172.17.2.255 255.255.255.255 On-link 172.17.2.1 291
172.17.3.0 255.255.255.0 On-link 172.17.3.1 291
172.17.3.1 255.255.255.255 On-link 172.17.3.1 291
172.17.3.255 255.255.255.255 On-link 172.17.3.1 291
192.168.111.0 255.255.255.0 On-link 192.168.111.1 291
192.168.111.1 255.255.255.255 On-link 192.168.111.1 291
192.168.111.255 255.255.255.255 On-link 192.168.111.1 291
192.168.178.0 255.255.255.0 On-link 192.168.178.22 306
192.168.178.22 255.255.255.255 On-link 192.168.178.22 306
192.168.178.255 255.255.255.255 On-link 192.168.178.22 306
192.168.198.0 255.255.255.0 On-link 192.168.198.1 291
192.168.198.1 255.255.255.255 On-link 192.168.198.1 291
192.168.198.255 255.255.255.255 On-link 192.168.198.1 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.178.22 306
224.0.0.0 240.0.0.0 On-link 172.17.2.1 291
224.0.0.0 240.0.0.0 On-link 172.17.3.1 291
224.0.0.0 240.0.0.0 On-link 192.168.111.1 291
224.0.0.0 240.0.0.0 On-link 192.168.198.1 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.178.22 306
255.255.255.255 255.255.255.255 On-link 172.17.2.1 291
255.255.255.255 255.255.255.255 On-link 172.17.3.1 291
255.255.255.255 255.255.255.255 On-link 192.168.111.1 291
255.255.255.255 255.255.255.255 On-link 192.168.198.1 291
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
169.254.0.0 255.255.0.0 172.17.2.1 1
169.254.0.0 255.255.0.0 192.168.178.22 1
169.254.0.0 255.255.0.0 192.168.198.1 1
===========================================================================
Notes:
- 192.168.178.1 is the default gateway (my router)
- 192.168.178.22 is my laptop's address
The following networks are from virtual VMware network devices:
- 172.17.2.0/24
- 172.17.3.0/24
- 192.168.111.0/24
- 192.168.198.0/24
I have also tried to deactivate all VMware interfaces before connecting because I thought they might cause conflicts on the routing table, but result is the same.
//edit:
During connection attempt the error logs keeps showing:
16.05.2022 21:28:43 error ipsecvpn date=2022-05-16 time=21:28:42 logver=1 id=96567 type=securityevent subtype=ipsecvpn eventtype=error level=error uid=D745A960E19C45AE9FDDCA96C5DF107E devid=FCT8003921876807 hostname=mylaptop pcdomain=N/A deviceip=192.168.198.1 devicemac=00-50-56-c0-00-08 site=N/A fctver=7.0.3.0193 fgtserial=FCT8003921876807 emsserial=N/A os="Microsoft Windows 10 Professional Edition, 64-bit (build 19041)" user=MyName msg="loc_ip=192.168.178.22 loc_port=500 rem_ip=xx.xx.xx.xx rem_port=500 out_if=0 vpn_tunnel=TunnelName status=negotiate_error init=local mode=xauth_clinet stage=1 dir=outbound status=failureInitiator: sent xx.xx.xx.xx aggressive mode message #1 (ERROR)" vpntunnel="TunnelName"Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nobody seen this error before? I'm still stuck here trying to get it to work...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Team,
It is an expected behavior, whenever you are trying to establish ipsec vpn only ports 400 and 4500 will be open in that machine and rest of all ports will be blocked
In order to change this behavior
Step 1:
Open FCT, navigate to settings, create a backup of the configuration and make a copy of this file as we will be making some changes.
Step 2:
Edit the XML file > Search for the IPSEC section with keyword <implied_SPDO> for the ISPEC profile that you used and edit the following highlighted value then save the XML file.
Change the <implied_SPDO> to "1" and the <implied_SPDO_timeout> to "60", the value is in second and 60 seconds should be sufficient for the PC to receive the OTP Email before the timeout to block other traffic than the IPSEC traffic. In case the PC takes more than 60 seconds to receive the OTP then you must increase the value from 60 to a higher value.
Once the value is set, save the configuration and restore the config to the FCT. Test it with one user PC and let me know if you face any issues.
For your Reference: https://docs.fortinet.com/document/forticlient/6.2.1/xml-reference-guide/96295/ike-settings
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your reply. Unfortunately, this didn't help either. I have set <implied_SPDO> to "1" and <implied_SPDO_timeout> to "60" and then imported the config from that XML file again but the error persists. Also, I don't use any MFT or OTP with the IPSec VPN. The config just uses a pre-shared key, username and password. It works perfectly fine in my VM, but keeps getting stuck at "Status: connecting" when trying it directly on my laptop.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The suggestion which i said earlier it is for, you mentioned you are not able to connect to any other service when vpn is connecting.
For the VPN stucking related issue, please get these logs at the time of issue:
diag vpn ike log-filter dst-addr4 a.b.c.d (where a.b.c.d is the public ip of VPN from where they are connecting)
diag debug application ike -1
diag debug enable
Then try connecting to vpn it will generate some logs, please disable the debug by executing this command "diag debug disable"
Please share logs with us for further checking
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are those commands I need to run on my client (where the FortiClient is installed) or on the FortiGate firewall?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On the firewall itself.
Related Posts
- FortiClient 7.2.4 installer with deployed EMS... 94 Views
- When connecting VPN from FortiClient getting... 169 Views
- Remote VPN Issue 128 Views
- ZTNA not working. Help please. 286 Views
- FortiOS 7.2.4 IPSec split-tunnel breaks local... 261 Views
Labels
-
FortiGate
6,526 -
FortiClient
1,301 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
241 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.