Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
6sITdept
New Contributor III

VPN Event log; odd entry

I have a Fortigate 100e, I was looking at the VPN log and saw some odd entries:

 

date=2022-08-24 time=15:31:23 eventtime=1661380284231585110 tz="-0700" logid="0101040019" type="event" subtype="vpn" level="information" vd="root" logdesc="L2TP client disconnected" action="disconnect" status="success" msg="Client 154.89.5.116 control connection (id 1) finished"

 

There's a bunch of entries that show this "disconnect"  but there are no messages saying there is a connection. such as "Action=Connect" or "msg=..Started"

 

has anyone seen this before? does anyone know what this means (in big picture).  am I in danger?

1 Solution
vsahu
Staff
Staff

Hello 6sITdept,

 

If you're not using l2tp in your network then I'll suggest disabling the l2tp, it will resolve your issue,


config vpn l2tp

set status disable

end

 

To check you can use the below commands:

diagnose debug enable
diagnose vpn l2tp status
diagnose vpn l2tp tunnel

 

You can go through the below doc to know about l2tp more:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-L2TP-using-interface-rout...

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/539712/configuring-l2tp-vpns

https://docs.fortinet.com/document/fortigate/6.2.11/cookbook/386346/l2tp-over-ipsec

 

Regards,
Vishal Sahu

View solution in original post

8 REPLIES 8
akumarr
Staff
Staff

Hi 6sITdept,

May I know the device firmware version?
Was there any config changes made recently?


Best regards,
ARUNKUMAR.R.
6sITdept
New Contributor III

Hi, we are on 7.0.3.  nothing done Internal to externally.  Internally, we updated our LDAP servers. 

6sITdept
New Contributor III

Any thoughts?  Listed my Firmware as 7.0.3

6sITdept
New Contributor III

Got another one: 

(absolute time): 2022/09/02 09:30:19

Client 223.71.167.166 control connection (id 1) finished

 

Abuse IP says that this IP comes from China. 

vsahu
Staff
Staff

Hello 6sITdept,

Can you check if L2TP is enabled on the firewall or not also confirm if are you using L2TP in your network.

 

show vpn l2tp

show full | grep -f  l2tp

 

Regards,
Vishal Sahu
6sITdept
New Contributor III

Hi vshau, executing "show vpn l2tp" does show "set status enable" 

Executing the 2nd command "show full | grep -f l2tp"  has a huge long list of commands that show how the Firewall is setup.  I am not going to post that here unless you need a certain section that I can sanitize.

 

We are using a Forticlient for VPN and using IPsec.   I'm reading more, but that does not sound like L2TP.  is that correct?

 

hope that helps. 

vsahu
Staff
Staff

Hello 6sITdept,

 

If you're not using l2tp in your network then I'll suggest disabling the l2tp, it will resolve your issue,


config vpn l2tp

set status disable

end

 

To check you can use the below commands:

diagnose debug enable
diagnose vpn l2tp status
diagnose vpn l2tp tunnel

 

You can go through the below doc to know about l2tp more:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-L2TP-using-interface-rout...

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/539712/configuring-l2tp-vpns

https://docs.fortinet.com/document/fortigate/6.2.11/cookbook/386346/l2tp-over-ipsec

 

Regards,
Vishal Sahu
6sITdept
New Contributor III

I disabled the L2TP and then tried my current VPN access.  Everything is working.  It appears that disabling L2TP does not effect my current VPN.   thank you for your advice.