Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CarmelKevin
New Contributor

VPN connection works only over wifi, not wired

I'm running FortiClient to connect from home to my organization's VPN.  Everything works fine when my laptop is connected via wifi.  However, if I plug the ethernet cable (from the very same home network) into the laptop and connect FortiClient, I cannot connect to any of my organization's servers, even though the VPN connection succeeds and is reporting an active connection.

 

Any ideas?

3 Solutions
boneyard
Valued Contributor

first suspect is your home router / modem / ap / ... does it have different settings for the wireless compared to the wired part? or are they different devices all together?

 

it might be worth to call your ISP helpdesk (assuming they provide the equipment) on this.

View solution in original post

Toshi_Esumi
Esteemed Contributor II

First thing to suspect is the IP/subnet you get from wifi or LAN. Depending on how the FGT side is set up (NAT or no NAT) LAN subnet might conflict with server side. Since the tunnel comes up in both cases I would comare the routing table of your machine when the tunnel is up, then do some traceroutes toward the server to see how far it can get. At least it would tell you it's on local side or server side.

View solution in original post

Yurisk
Valued Contributor

If in both cases you connect via the same local router to the Internet, the 1st option may be something goes wrong with rotuing table when connected over the wired network - to know, compare routing table of your PC when connected via wireless vs when connected via wired:

PC/WIndows: cmd -> route print

Linux/Mac: netstat -rn

 

The second option would be local firewall settings on your computer, if it is WIndows for example, you may be getting different WIndows FIrewall profiles/rules applied on different connections.

 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.

View solution in original post

7 REPLIES 7
boneyard
Valued Contributor

first suspect is your home router / modem / ap / ... does it have different settings for the wireless compared to the wired part? or are they different devices all together?

 

it might be worth to call your ISP helpdesk (assuming they provide the equipment) on this.

CarmelKevin
New Contributor

So, I gave AT&T a call this morning and... wait for it... they were no help.  They ran many tests to let me know that my internet connection is up (of course it's up).

 

You do have an interesting thought the the router and the wireless access point are separate devices, so there must be some setting difference that I can find.  However, it 's odd that my VPN requests go from laptop -> access point -> router -> corporate VPN -> network servers, and this works fine.  But going from laptop -> router -> corporate VPN, it connects to VPN, but cannot see network servers. 

Toshi_Esumi
Esteemed Contributor II

First thing to suspect is the IP/subnet you get from wifi or LAN. Depending on how the FGT side is set up (NAT or no NAT) LAN subnet might conflict with server side. Since the tunnel comes up in both cases I would comare the routing table of your machine when the tunnel is up, then do some traceroutes toward the server to see how far it can get. At least it would tell you it's on local side or server side.

Dwayne_A

On the hardwire, Make sure that the adapter isn’t set as static and maybe has a different dns server that could be blocking it.

 

most wired/hardwire use the same IP subnet but wireless is always dhcp 

make sure the lan adapter is dhcp also. 

lastly I would remove the lan adapter, reboot and let it re-add back to the laptop 

that will remove all configuration and it should run like the wireless. 

let us know

 

Yurisk
Valued Contributor

If in both cases you connect via the same local router to the Internet, the 1st option may be something goes wrong with rotuing table when connected over the wired network - to know, compare routing table of your PC when connected via wireless vs when connected via wired:

PC/WIndows: cmd -> route print

Linux/Mac: netstat -rn

 

The second option would be local firewall settings on your computer, if it is WIndows for example, you may be getting different WIndows FIrewall profiles/rules applied on different connections.

 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.
CarmelKevin

I have a resolution!  Thanks to each of you that replied and gave me clues of where to look!

 

After running some tracert and nslookup commands I found that while wired, I was not able to resolve DNS names, only IP addresses.  But when connected via wifi it was resolving DNS names.

 

With that info I found this link...

http://woshub.com/dns-resolution-via-vpn-not-working-windows/

 

It says that there's a priority order in which Windows will try to resolve DNS names.  Using PowerShell command: Get-NetIPInterface | Sort-Object Interfacemetric.  I found that my priority order (specified by the Interface Metric) was Ethernet, VPN, then Wifi.  This meant that when on Ethernet, it was trying to resolve DNS locally, which failed.  But when on wifi, the VPN had higher priority so it went out over VPN to resolve the DNS successfully.

 

To fix this, I modified the settings (Ethernet adapter > Properties > Internet Protocol Version 4 > Properties > Advanced) and changed from Automatic metric to a hard-coded value of 120.  This number is higher than the value that VPN is using (25).  So now the VPN has the lower number (higher priority) and is used first to resolve the DNS names.  I changed this setting as well for IP version 6.

 

pachr

In my case the above solution won't work.
My problem started after Lenovo Dock Ethernet Driver update. When I roll back the driver to 2019 instead 2022 version it works OK. It also works when I plug the Ethernet cable directly to my laptop or use WiFi or LTE. The problem is that Ethernet driver version dated March 2022 for lenovo Dock was issued for Windows 11 along with firmware update, using older driver, although working with forti sometimes drops the internet connection.
I run Windows 11.
I think that many users who report the issue stating that VPN works fine over WiFi may have some compatibility issues between FortiVPN and their Ethernet drivers.

pachr_0-1661772908407.png

Above is non-compatible driver. One needs

Below is compatible driver:

pachr_1-1661773035231.png