On FortiClient 7.2.4, SSLVPN will not connect if the local machine has no Internet connection.
It appears that FortiClient checks Windows Network Level Awareness (NLA) to see if there is a working Internet connection. However, this breaks airgapped setups where:
1. the endpoint is airgapped with no Internet connectivity (hence Windows NLA will report No Internet)
2. the FortiGate is intranet-only (not exposed to the Internet)
FortiClient will refuse to initiate a connection thinking that there is no working connection, but FGT is reachable.
Previous versions of FC (7.0.11) seem to work alright, just not the 7.2.x branch.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
There are about 40 SSL VPN known issues on this version.
https://docs.fortinet.com/document/forticlient/7.2.4/windows-release-notes/991883/known-issues
Can you share the related logs from FortiClient?
Hey @AEK, thanks for replying!
The only relevant FortiClient log is the following:
4/15/2024 1:24:20 PM info sslvpn date=2024-04-15 time=13:24:19 logver=1 id=96600 type=securityevent subtype=sslvpn eventtype=status level=info uid=FE669A598C0F46AABA80C6660AE8CDA4 devid=FCT80004XXXXXXXX hostname=DESKTOP-JDR6DA5 pcdomain=N/A deviceip=10.255.XXX.XXX devicemac=f4-4e-XX-XX-XX-XX site=N/A fctver=7.2.4.0972 fgtserial=FCT80004XXXXXXXX emsserial=N/A os="Microsoft Windows 10 Professional Edition, 64-bit (build 19045)" user=XXXXXXX msg="SSLVPN tunnel status" vpnstate=disconnected vpnuser=XXXXX
When I hit "connect" after typing my username and password, the VPN client just flashes briefly, but nothing happens.
Windows does say the following:
The remote FortiGate can 100% be reached over the network, but FortiClient doesn't seem to even try.
Hi,
- Have you tried to reinstall the FortiClient?
- Does the FortiClient tries to initiate communication? You can check this by taking wireshark captures on the client.
- Are there any 3rd party tools in PC such as VPN from another vendor or AV etc.
Regards,
Shiva
Hi Shiva,
1. Yes, we have reinstalled the FortiClient multiple times. FC 7.0.12 works with no issues.
2. It does not look like the FortiClient 7.2 even tries.
3. No other VPN but there is Symantec AV.
Hi,
- You can confirm if it is sending the packets out or not by taking wireshark capture or a sniffer in the firewall.
- You can try to disable the AV and verify the VPN.
- We may have to check Diagnostics tool output such as FortiTray logs from the Client. If the above 2 steps are not giving the expected result then you can collect the Dignostics tool output and open a support ticket.
Regards,
Shiva
Hi Shiva,
I did try to open a support ticket but was refused support, as I do not have a FortiClientEMS license.
My ticket number was 9386623.
Could you advise if I were to open a ticket again, would I face the same issue? I do not mind putting in the effort to troubleshoot, but I would not want to be going in circles if my support ticket would be closed due to me using free VPN.
Thank you!
You can still try open the ticket using FG SN.
By the way, did you try from the client to access https://vpnserver:port
(use the gateway address and port as entered in FortiClient VPN config)
Hi @AEK, yes, we did try from the client to access https://vpnserver:port and it works and connects fine.
Just wanted to point out again that this is flawless in FC 7.0, and is only an issue in FC 7.2.
Also wanted to share that I previously opened the case under my FG SN but was denied support and redirected to the forum.
Here is the correspondence:
Dear Customer,Hope you are well.
Thank you for contacting Fortinet. My name is Denice and I’ll be assisting you with this case.
Your case is open as P<4>, and you may refer to our Forti-Companion to Technical Support guide for case priority and SLA response time:https://support.fortinet.com/Information/DocumentList.aspx
I understand that you have a concern wherein your FortiClient on v7.2.x are not able to connect since it is setup as airgapped, and no issue s when you where on v7.0.11.Just to set your expectations, since the concern is for FortiClient, FortiClient Technical Support requires valid paid FortiClient or EMS license, and is not included with a FortiGate regular support.
Kindly refer to attached Release Notes page XX on technical support entitlement for FortiClient without paid license.https://docs.fortinet.com/document/forticlient/7.2.4/windows-release-notes/371487/introduction
If you have a serial number of EMS with a valid FortiClient support contract, please provide it to the ticket so I can endorse this ticket to the appropriate team.
For a free standalone version of FortiClient you can obtain support on Fortinet forums - https://community.fortinet.com/
Thank you for your understanding.
Hi @fn-hmx
Like @smaruvala suggested I think wireshark is a good way of troubleshooting to know what FortiClient is trying to do, and if it is trying to reach something on the internet before connecting to the VPN server, or if it is sending any DNS query... any such info can be useful for the troubleshooting.
Or in case you prefer avoid troubleshooting then you can just revert to 7.0.x.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.