Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
st3fan
New Contributor III

Random FortiClient (IPsec VPN) disconnects

Hi everyone

 

Some of our user's FortiClient IPsec VPN connection (Windows 10 x64, FortiClient 6.0.9, FortiGate 6.0.9) drops numerous times a day. Some users have to reconnect more than 10 times a day. The connection simply drops while they are working, and for no apparent reason as applications such as Skype, Teams etc. remain online. Even if there was packet loss for a moment, it must have been very brief.

 

This does not affect all of of our users. For the majority of our users the FortiClient connection is pretty stable. In my experience, the quality of the Internet link makes a big difference. I have experienced frequent disconnects myself on my ADSL home Internet link whereas I don't experience any disconnects anymore now that I am on fibre. All workstations are set up using an image and are therefore identical in the way they are configured. So I don't think the problem lies there.

 

All users connect to the same IPsec dialup tunnel (ike=1, authentication=psk, mode=aggressive, lifetime=86400/43200, dpd-retrycount=3, dpd-retryinterval=15) and since this is not affecting everyone, I guess we can rule out an issue on the FortiGate too. This therefore points to the FortiClient itself.

 

Is anyone else experiencing this? Are there any recommendations to make the FortiClient more resilient in this regard? This issue has been bugging us for almost three years. We have started with FortiGate/FortiClient 5.4.x and upgrading to different versions (which is something Support always likes to suggest) has made zero difference. I have opened another ticket with Support a few weeks ago but there has not been any progress so far.

 

I would appreciate your input on this. Thank you.

 

Kind Regards

Stefan

13 REPLIES 13
st3fan
New Contributor III

Any comments, suggestions etc. from anyone?

 

Thanks,

Stefan

tanr
Valued Contributor II

I haven't run into this myself, but we only use FortiClient SSL VPN for a couple clients (on 6.0.9).

 

What do the FortiGates VPN logs look like for those disconnects?  Since it sounds like the same users keep having issues, hopefully you can collect some useful logs on this.  References:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD46611

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/340035/troubleshooting#The2

 

From what you're saying, it sounds like something about the ISP line is effecting it, so would be useful to collect data from the users with issues, like are they all PPPoE with smaller MTUs, have odd port-forwarding set up, doulbe-NAT, etc.

 

If you can get some sanitized logs and common network details of the users with problems hopefully TAC or someone here with more knowledge than me could point you in the right direction.

st3fan
New Contributor III

Thanks for your comments!

 

I have spent the last few weeks troubleshooting this issue with FortiGate Support and they have confirmed that it is not the FortiGate that is causing these issues. It seems the FortiClient is sending an "IPsec ISAKMP SA delete" to the FortiGate - which then terminates the connection. It does not make sense to me as our users are busy working and then suddenly the connection drops. Support was unable to determine why this keeps happening and they advised to get FortiClient support licenses so that FortiClient Support can investigate.

 

I do think that the ISP line does play a role here. Why else would users on a very stable (e.g. fibre) Internet link have no problem whatsoever and users who connect via e.g. mobile hotspot or ADSL lose connection so frequently. I don't know, it just does not make sense to me but I am also concerned that spending money on FortiClient EMS (which as far as I understand is required for FortiClient Support - and at this stage we wouldn't even be interested in all these additional features) is not going to lead to any solution either.

 

 

 

 

 

 

st3fan
New Contributor III

I have done further tests on my own notebook now. For testing purposes I briefly unplugged my network cable while I was connected via VPN. After a few seconds I plugged it back in. This only resulted in 3 dropped pings - which is nothing - yet my VPN connection disconnected. Is this normal?

 

ping 8.8.8.8 -t

Reply from 8.8.8.8: bytes=32 time=26ms TTL=57 Reply from 8.8.8.8: bytes=32 time=26ms TTL=57 Reply from 8.8.8.8: bytes=32 time=24ms TTL=57 Reply from 8.8.8.8: bytes=32 time=23ms TTL=57 ==> unplugged network cable

Request timed out. Request timed out. Request timed out.                                              ==> VPN disconnected Reply from 8.8.8.8: bytes=32 time=42ms TTL=56 ==> plugged in network cable Reply from 8.8.8.8: bytes=32 time=29ms TTL=56 Reply from 8.8.8.8: bytes=32 time=24ms TTL=56 Reply from 8.8.8.8: bytes=32 time=22ms TTL=56 ...

 

Regards

Stefan

pigsign
New Contributor

Is your Fortigate 61F? If yes, try disable IPSec Phase1 npu-offload function, like below:

 

# config vpn ipsec phase1-interface # edit <phase-1-name> # set npu-offload disable # end

st3fan
New Contributor III

No we don't use 61F. We tried disabling npu offload but this did not make a difference unfortunately.

 

I have done further tests and I can say without a doubt that FortiClient is the issue. I connected two notebooks at the same time, one with NCP Secure Entry, the other with FortiClient. Then I unplugged the Ethernet cable and waited a few seconds. FortiClient dropped the connection almost immediately whereas NCP stayed connected. In a second test I unplugged the cable for 60 seconds and even then NCP did not drop.

 

So that's disappointing. Seems like FortiClient is simply not reliable enough if there is some packet loss on the network.

 

 

mtl83
New Contributor

I am having this issue in my organisation also. Frequent disconnects affecting vast majority of staff, despite consistent and good ping, zero packet loss and low jitter. 

st3fan
New Contributor III

I tested the paid FortiClient version today. There is a setting called "always up" which solves these problems. I repeated the tests mentioned above and pulled the network cable for a minute or so. The VPN connection did not drop. So I guess they make one pay for a reliable solution.

Mahmoud_Reda

Hello,

 

I am facing a similar issue. before changing my ISP (due to moving to a new apartment)  IPSEC vpn & SSL VPN were working fine without any issue. just after I changed my ISP , IPSEC VPN disconnects every time almost after 10 seconds after being connected , SSL VPN is stable and working fine. so I am almost pretty sure that it is an ISP issue. Does anyone find a solution to this issue rather than purchasing the paid forticlient version ? Thank you in advance Best Regards

Labels
Top Kudoed Authors