Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ThePro
New Contributor III

FortiClient VPN - Connects ok, BUT No Remote Access & No Internet

I have a remote user that for an unknown reason started to have issues connecting remotely.

 

No changes were done on the Fortigate. According to the user not no changes on the remote user side network (same ISP, same router). Previous to the issue they had been connecting without any issues since it was setup months ago on a daily basis.

 

FortiClient connects but I lose Internet access and I cant ping the devices at the main office. I also noticed that I dont get an IP assigned.

 

I already restarted the Fortigate and deleted and recreated the FortiClient VPN.

 

Office/Fortigate network/subnet is 10.10.10.0

Remote sites network/subnet is 10.0.0.0

 

I have experience issues in the past with overlapping subnets with FortiClient, but in those cases the device connecting remotely didnt loose Internet access, it just had issues accessing some devices at the office if some IP overlapped. They have been working fine for months

 

Could it be issues with the subnets? Something else?

5 Solutions
Toshi_Esumi
Esteemed Contributor II

Is the tunnel supposed to split (local internet) or go over the tunnel and get out to the internet from the FGT? Check the routing table on the client device (PC, Mac, etc.) depending on split-tunnel set up.

View solution in original post

ThePro
New Contributor III

toshiesumi wrote:

Is the tunnel supposed to split (local internet) or go over the tunnel and get out to the internet from the FGT? Check the routing table on the client device (PC, Mac, etc.) depending on split-tunnel set up.

I have split-tunnel enabled.

View solution in original post

Toshi_Esumi
Esteemed Contributor II

Then it's a problem on the client side if it loses internet. Something must have changed on the device or the FortiClient.

For the access problem over the tunnel, again, you should check those specific routes are actually inserted into the routing table.

View solution in original post

ThePro
New Contributor III

I dont think its specifically on the clients side. I have configured the VPN on a few workstation afterwards and some work, others dont.

 

Those that dont I notice the VPN connects, but on the FortiClient Window it doesnt have an IP assigned (it appears blank).

View solution in original post

Toshi_Esumi
Esteemed Contributor II

You need to run debugging on the FGT when it fails. If IPsec, "diag debug app ike -1". If SSL VPN, "diag debug app sslvpn -1".

View solution in original post

6 REPLIES 6
Toshi_Esumi
Esteemed Contributor II

Is the tunnel supposed to split (local internet) or go over the tunnel and get out to the internet from the FGT? Check the routing table on the client device (PC, Mac, etc.) depending on split-tunnel set up.

ThePro
New Contributor III

toshiesumi wrote:

Is the tunnel supposed to split (local internet) or go over the tunnel and get out to the internet from the FGT? Check the routing table on the client device (PC, Mac, etc.) depending on split-tunnel set up.

I have split-tunnel enabled.

Toshi_Esumi
Esteemed Contributor II

Then it's a problem on the client side if it loses internet. Something must have changed on the device or the FortiClient.

For the access problem over the tunnel, again, you should check those specific routes are actually inserted into the routing table.

ThePro
New Contributor III

I dont think its specifically on the clients side. I have configured the VPN on a few workstation afterwards and some work, others dont.

 

Those that dont I notice the VPN connects, but on the FortiClient Window it doesnt have an IP assigned (it appears blank).

Toshi_Esumi
Esteemed Contributor II

You need to run debugging on the FGT when it fails. If IPsec, "diag debug app ike -1". If SSL VPN, "diag debug app sslvpn -1".

suneerkadooran

Dear , 

you have to create ipv4 policy between your vpn interface to wan interface.

source=vpn interface

destnation=wan interface

allow all,

please try it..