I wasn't able to connect to an IPsec VPN through FortiClient VPN (7.0.2.0090 free) when updated to Windows 11 (build 22000), SSL VPNs were working fine. When I downgraded to Windows 10 (21h2 build 19044.1415) the IPsec VPN started working again.
This is the error that I got on FortiClient
And this is the log that I exported
12/28/2021 4:02:55 PM info sslvpn date=2021-12-28 time=16:02:54 logver=1 id=96602 type=securityevent subtype=sslvpn eventtype=status level=info uid=19AEBE88942A48F59578C42AA765D590 devid=FCT8003159070034 hostname=DESKTOP-5BJFTJ3 pcdomain=N/A deviceip=192.168.224.1 devicemac=<redacted> site=N/A fctver=7.0.2.0090 fgtserial=FCT8003159070034 emsserial=N/A os="Microsoft Windows 11 , 64-bit (build 22000)" user=bueno msg="SSLVPN service started successfully" vpnstate=
12/28/2021 4:03:04 PM info system date=2021-12-28 time=16:03:03 logver=1 id=96823 type=systemevent subtype=system eventtype=status level=info uid=19AEBE88942A48F59578C42AA765D590 devid=FCT8003159070034 hostname=DESKTOP-5BJFTJ3 pcdomain=N/A deviceip=192.168.224.1 devicemac=<redacted> site=N/A fctver=7.0.2.0090 fgtserial=FCT8003159070034 emsserial=N/A os="Microsoft Windows 11 , 64-bit (build 22000)" user=bueno msg="Checking for updates"
12/28/2021 4:04:26 PM info ipsecvpn date=2021-12-28 time=16:04:25 logver=1 id=96566 type=securityevent subtype=ipsecvpn eventtype=status level=info uid=19AEBE88942A48F59578C42AA765D590 devid=FCT8003159070034 hostname=DESKTOP-5BJFTJ3 pcdomain=N/A deviceip=192.168.224.1 devicemac=<redacted> site=N/A fctver=7.0.2.0090 fgtserial=FCT8003159070034 emsserial=N/A os="Microsoft Windows 11 , 64-bit (build 22000)" user=bueno msg="loc_ip=192.168.100.2 loc_port=500 rem_ip=<vpn-external-ip> rem_port=500 out_if=0 vpn_tunnel=RS IPsec action=negotiate init=local mode=aggressive stage=1 dir=outbound status=success Initiator: sent <vpn-external-ip> aggressive mode message #1 (OK)" vpntunnel="RS IPsec"
12/28/2021 4:04:38 PM warning ipsecvpn date=2021-12-28 time=16:04:37 logver=1 id=96561 type=securityevent subtype=ipsecvpn eventtype=error level=warning uid=19AEBE88942A48F59578C42AA765D590 devid=FCT8003159070034 hostname=DESKTOP-5BJFTJ3 pcdomain=N/A deviceip=192.168.224.1 devicemac=<redacted> site=N/A fctver=7.0.2.0090 fgtserial=FCT8003159070034 emsserial=N/A os="Microsoft Windows 11 , 64-bit (build 22000)" user=bueno msg="No response from the peer, phase1 retransmit reaches maximum count" vpntunnel="RS IPsec" locip=192.168.100.2 locport=500 remip=<vpn-external-ip> remport=500
This is a log exported after a successful connection (in W10)
12/30/2021 8:24:23 AM info ipsecvpn date=2021-12-30 time=08:24:22 logver=1 id=96566 type=securityevent subtype=ipsecvpn eventtype=status level=info uid=19AEBE88942A48F59578C42AA765D590 devid=FCT8003159070034 hostname=DESKTOP-5BJFTJ3 pcdomain=N/A deviceip=<my-external-ip> devicemac=<redacted> site=N/A fctver=7.0.2.0090 fgtserial=FCT8003159070034 emsserial=N/A os="Microsoft Windows 10 , 64-bit (build 19041)" user=bueno msg="loc_ip=192.168.100.2 loc_port=4500 rem_ip=<vpn-external-ip> rem_port=4500 out_if=0 vpn_tunnel=CIEE-RS action=negotiate init=local mode=quick stage=2 dir=outbound status=success Initiator: sent <vpn-external-ip> quick mode message #2 (DONE)" vpntunnel=CIEE-RS
In this log the loc_port and rem_port are different (4500, in the other log it's 500), also the deviceip is my external IP, not a local IP (that doesn't look like an IP that my machine would be using).
I don't know if that's causing the problem, but it's all I can find.
Does anyone have any tips?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 02-15-2022 11:08 AM Edited on 02-15-2022 11:21 AM
I figured out the issue. It is a Windows 11 Ethernet driver issue.
Wifi connects to VPN, Ethernet via USB to Eth adapter works.
I downgraded to Win10 Realtek 10.54 driver version.
That fixed the issue for me.
Realtek PCIe FE / GBE / 2.5G / Gaming Ethernet Family Controller Software - REALTEK
let me know if this works for anyone else.
Hey jfbueno,
in the non-working snippet, there is this:
msg="No response from the peer, phase1 retransmit reaches maximum count"
that indicates your FortiClient is not getting a response from whatever VPN server it is trying to reach. Can you do the following?
- google "what is my IP" on the client to figure out your public IP
- on the VPN server, capture traffic for that public IP and port 500/4500 (IPSec VPN should start at port 500 and then move to 4500 if NAT is detected, as it should be in your case)
- that should give you some idea where establishing the tunnel breaks down
Hey, Debbie.
Since this is a third-party VPN where I am an external contractor I will contact them and try to run these tests on the VPN server.
Thanks!
@jfbueno @Debbie_FTNT We have same problem, but we detect that it only happens when use wired network, with wireless network it works correctly. Did you solve the problem?
Hey rikasobe,
I haven't heard back from jfbueno, and I did not encounter this issue myself, I just offered a troubleshooting suggestion based on the debug output jfbueno provided. If you get the same 'no response from remote peer', that usually indicates that the initial packets get lost somewhere, and I would suggest troubleshooting this as a possible network issue (ie VPN does not reach remote VPN server or response does not make it back).
If you get a different error, you might want to open a ticket with Fortinet Technical Support (if the VPN server is a FortiGate or your FortiClients are managed by EMS) or a new forum post.
Hope that helps!
Hey. I couldn't perform the tests that Debbie asked me to...
Since the connection is working flawlessly with Windows 10, I just decided to keep using it for a while.
Created on 02-10-2022 08:04 AM Edited on 02-10-2022 08:05 AM
Just to contribute.
I just tried to use same VPN connection that showed problem in my original post using another computer with Windows 11 and it worked as expected (using WiFi and wired).
Given that, I'm assuming the problem is related to this specific machine, but I won't perform any tests soon because I don't want to move to Win 11 and then downgrade again.
Wanted to reply specifically so you get a notification, We had the same issue, I found in my case it was a Win11 Ethernet driver issue. I downgraded to a Win10 driver and it worked. Hope it works for you too.
Thank you for sharing, sensei :).
Hi all,
just encountered this issue myself today, I started working for a company that uses forticlient vpn and, under Windows 11 and same build number, it cannot connect through ethernet, while Wi-Fi works correctly.
Did anyone find a solution to this yet, which doesn't require downgrading to Win 10 as I can't do that?
Thank you!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.