Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
yimc
New Contributor

Apipa FortiClient doesn't work with win11

Hi guys, Windows 11, I connect to vpn FortiClient 7.0.7.0345 but the route print output is apipa.

 

 

Screenshot_1.jpg

6 REPLIES 6
ebilcari
Staff
Staff

If the client is stuck on APIPA than something is wrong with the DHCP server/scopes or the network you have configured for that VPN.

--
emirjon
Sheikh
Staff
Staff

Hi Yimc,

 

You might need to run Packet capture using "Wireshark" or some other tools, to find whether the DHCP handshake process is completed or stuck at some point. Below are the four messages exchanged during this process.

 

1. Discover : Client broadcast to find available DHCP servers.

2. Offer: If the DHCP server is available, then it responds with available address and options.

3. Request: Client requests offered address.

4. Ack: Server acknowledges client's requests for address information. 

 

regards,

 

Sheikh

yimc
New Contributor

hi Sheikh! Thanks to help me,

Is works in Windows 10! I will try wireshark, I didn't know it!

pminarik
Staff
Staff

Assuming this is SSL-VPN (can you confirm?), I remember seeing the client default to APIPA when the IP to be assigned was in conflict with another interface's IP/subnet.

Can you please check what IP ranges the FortiGate is using to assign IPs to clients, and then verify that it doesn't overlap with the subnet of any other interface on that client?

[ corrections always welcome ]
yimc
New Contributor

My team did this, but the problem still exists.
I connect to the VPN, still get APIPA IP, I can't reach the machines via mstsc or ping.

About Wireshark , what you need to help me?

pminarik

I don't think that wiresharking is particularly helpful in this case, as the IP is not assigned through DHCP (it's assigned through some HTTPS-like communication in SSL-VPN itself).

You may want to inspect your FortiClient's debug logs (switch to debug level) + FortiGate's sslvpn debug outputs, gathered while the issue is being reproduced.

 

If you have an EMS license, consider reaching out to TAC through a support ticket (provide the EMS serial number) for assistance.

[ corrections always welcome ]