Hello together,

since one of the recent patches on my Rocky Linux workstation, my FortiClient has ceased to function properly.

First some information to my system:

NAME="Rocky Linux"
VERSION="9.3 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.3"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.3 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.3"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.3"

Kernel is:

5.14.0-362.13.1.el9_3.x86_64

The issue is that while I can log into the SSL-VPN and establish the connection, no packets are being sent back to me. So no connection can be build up:

I am currently using FortiClient version 7.2.3.0790 and have encountered an issue that seems to be related to the virtual interface configuration, potentially involving DNS or missing routes. The connection is a full tunnel to an up-to-date FortiGate. It's worth noting that this issue is not unique to me; colleagues with the same setup are also experiencing the problem. Older versions of FortiClient are no longer functioning, and a reinstallation did not resolve the issue. Since Windows and Mac clients can connect without any problems, I can only attribute the issue to the operating system or the FortiClient itself.

One of the errors I got is:

vpn_connection:1829 Error: Disconnected because of error: Read packet from tunnel failed.

I cannot share the whole log, but I added the most important entries below:

##############################################################
20240126 16:00:55.556 TZ=+0100 [sslvpn:INFO] sslvpn:824 Login successful
20240126 16:00:55.587 TZ=+0100 [sslvpn:INFO] main:1460 State: Configuring tunnel
20240126 16:00:55.601 TZ=+0100 [sslvpn:DEBG] vpn_util:260 Get connection name: su
20240126 16:00:55.601 TZ=+0100 [sslvpn:DEBG] vif:98 Using nmcli to allocate tun device.
20240126 16:00:55.821 TZ=+0100 [sslvpn:DEBG] vpn_connection:2339 FCT UID added: xxx
20240126 16:00:55.823 TZ=+0100 [sslvpn:DEBG] dns:292 Default route device name: wlp0s20f3
20240126 16:00:55.837 TZ=+0100 [sslvpn:DEBG] vpn_util:260 Get connection name: su
20240126 16:00:55.837 TZ=+0100 [sslvpn:DEBG] dns:304 DNS backup
20240126 16:00:55.848 TZ=+0100 [sslvpn:DEBG] vpn_util:260 Get auto DNS setting: no
20240126 16:00:55.858 TZ=+0100 [sslvpn:DEBG] vpn_util:260 Get static DNS: ipv4.dns:
20240126 16:00:55.869 TZ=+0100 [sslvpn:DEBG] vpn_util:260 Get system DNS search domain:
20240126 16:00:55.879 TZ=+0100 [sslvpn:DEBG] vpn_util:260 Get current DNS: IP4.DNS[1]:xxx.xxx.xxx.xxx
20240126 16:00:55.879 TZ=+0100 [sslvpn:DEBG] dns:347 Device name: wlp0s20f3
20240126 16:00:55.879 TZ=+0100 [sslvpn:DEBG] dns:348 Connection name: su
20240126 16:00:55.879 TZ=+0100 [sslvpn:DEBG] dns:349 Ignore auto DNS: no
20240126 16:00:55.879 TZ=+0100 [sslvpn:DEBG] dns:350 DNS list:
20240126 16:00:55.879 TZ=+0100 [sslvpn:DEBG] dns:351 DNS search domain list:
20240126 16:00:55.879 TZ=+0100 [sslvpn:DEBG] dns:352 Current DNS list: xxx.xxx.xxx.xxx
20240126 16:00:55.879 TZ=+0100 [sslvpn:DEBG] dns:353 VPN device name: fctvpn44519b59
20240126 16:00:55.879 TZ=+0100 [sslvpn:DEBG] dns:210 Read DNS backup /etc/nm_resolv.forticlient.backup: [{"default_dev_name":"enp0s31f6","default_connection_name":"enp0s31f6","ignore_auto_dns":"no","system_dns_list":"","system_dns_search_domain_list":"","current_dns_list":"xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx","vpn_dev_name":"fctvpn736cd216"}]
20240126 16:00:55.893 TZ=+0100 [sslvpn:DEBG] dns:411 Backup file saved
20240126 16:00:55.895 TZ=+0100 [sslvpn:DEBG] dns:210 Read DNS backup /etc/nm_resolv.forticlient.backup: [{"default_dev_name":"enp0s31f6","default_connection_name":"enp0s31f6","ignore_auto_dns":"no","system_dns_list":"","system_dns_search_domain_list":"","current_dns_list":"xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx","vpn_dev_name":"fctvpn736cd216"},{"default_dev_name":"wlp0s20f3","default_connection_name":"su","ignore_auto_dns":"no","system_dns_list":"","system_dns_search_domain_list":"","current_dns_list":"xxx.xxx.xxx.xxx","vpn_dev_name":"fctvpn44519b59"}]
20240126 16:00:55.895 TZ=+0100 [sslvpn:DEBG] dns:210 Read DNS backup /etc/nm_resolv.forticlient.backup: [{"default_dev_name":"enp0s31f6","default_connection_name":"enp0s31f6","ignore_auto_dns":"no","system_dns_list":"","system_dns_search_domain_list":"","current_dns_list":"xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx","vpn_dev_name":"fctvpn736cd216"},{"default_dev_name":"wlp0s20f3","default_connection_name":"su","ignore_auto_dns":"no","system_dns_list":"","system_dns_search_domain_list":"","current_dns_list":"xxx.xxx.xxx.xxx","vpn_dev_name":"fctvpn44519b59"}]
20240126 16:00:55.895 TZ=+0100 [sslvpn:DEBG] dns:978 Config DNS
20240126 16:00:55.896 TZ=+0100 [sslvpn:DEBG] dns:210 Read DNS backup /etc/nm_resolv.forticlient.backup: [{"default_dev_name":"enp0s31f6","default_connection_name":"enp0s31f6","ignore_auto_dns":"no","system_dns_list":"","system_dns_search_domain_list":"","current_dns_list":"xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx","vpn_dev_name":"fctvpn736cd216"},{"default_dev_name":"wlp0s20f3","default_connection_name":"su","ignore_auto_dns":"no","system_dns_list":"","system_dns_search_domain_list":"","current_dns_list":"xxx.xxx.xxx.xxx","vpn_dev_name":"fctvpn44519b59"}]
20240126 16:00:55.896 TZ=+0100 [sslvpn:DEBG] dns:658 Device name: wlp0s20f3
20240126 16:00:55.896 TZ=+0100 [sslvpn:DEBG] dns:662 Connection name: su
20240126 16:00:55.896 TZ=+0100 [sslvpn:DEBG] dns:696 Add DNS server: xxx.xxx.xxx.xxx
20240126 16:00:55.896 TZ=+0100 [sslvpn:DEBG] dns:696 Add DNS server: xxx.xxx.xxx.xxx
20240126 16:00:55.896 TZ=+0100 [sslvpn:DEBG] dns:696 Add DNS server: xxx.xxx.xxx.xxx
20240126 16:00:55.896 TZ=+0100 [sslvpn:DEBG] dns:703 Add DNS server: xxx.xxx.xxx.xxx
20240126 16:00:55.896 TZ=+0100 [sslvpn:DEBG] dns:703 Add DNS server: xxx.xxx.xxx.xxx
20240126 16:00:55.896 TZ=+0100 [sslvpn:DEBG] dns:703 Add DNS server: xxx.xxx.xxx.xxx
20240126 16:00:55.896 TZ=+0100 [sslvpn:DEBG] dns:723 Setup default interface
20240126 16:00:55.896 TZ=+0100 [sslvpn:DEBG] dns:729 Disable DHCP auto DNS
20240126 16:00:55.913 TZ=+0100 [sslvpn:DEBG] dns:744 Set IPv4 DNS servers: xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
20240126 16:00:55.929 TZ=+0100 [sslvpn:DEBG] dns:759 Set IPv4 DNS search domains:
20240126 16:00:55.946 TZ=+0100 [sslvpn:DEBG] dns:774 Re-apply settings.
20240126 16:00:55.958 TZ=+0100 [sslvpn:DEBG] dns:791 Setup VPN interface
20240126 16:00:55.958 TZ=+0100 [sslvpn:DEBG] dns:793 Set IPv4 DNS servers: xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
20240126 16:00:55.981 TZ=+0100 [sslvpn:DEBG] dns:808 Set IPv4 DNS search domains:
20240126 16:00:56.003 TZ=+0100 [sslvpn:DEBG] dns:823 Re-apply settings.
20240126 16:00:56.022 TZ=+0100 [sslvpn:DEBG] dns:182 Restart DNS service failed.
20240126 16:00:56.023 TZ=+0100 [sslvpn:DEBG] dns:192 Flush DNS cache failed.
20240126 16:00:56.023 TZ=+0100 [sslvpn:DEBG] route:102 route backup START
20240126 16:00:56.023 TZ=+0100 [sslvpn:DEBG] route:154 route backup DONE
20240126 16:00:56.023 TZ=+0100 [sslvpn:DEBG] route:396 begin route config
20240126 16:00:56.023 TZ=+0100 [sslvpn:DEBG] route:397 Remote IP: xxx.xxx.xxx.xxx
20240126 16:00:56.023 TZ=+0100 [sslvpn:DEBG] route:398 Local IP: xxx.xxx.xxx.xxx
20240126 16:00:56.023 TZ=+0100 [sslvpn:DEBG] route:399 Tunnel mode: Full tunnel
20240126 16:00:56.023 TZ=+0100 [sslvpn:DEBG] route:400 Exclusive routing: Disabled
20240126 16:00:56.023 TZ=+0100 [sslvpn:DEBG] route:474 Add the route for xxx.xxx.xxx.xxx(xxx.xxx.xxx.xxx)
20240126 16:00:56.024 TZ=+0100 [sslvpn:DEBG] route:487 route add: xxx.xxx.xxx.xxx,255.255.255.255,0,0.0.0.0,wlp0s20f3
20240126 16:00:56.024 TZ=+0100 [sslvpn:DEBG] route:222 router add default gw xxx.xxx.xxx.xxx
20240126 16:00:56.024 TZ=+0100 [sslvpn:DEBG] vpn_connection:2618 Start PPP
20240126 16:00:56.189 TZ=+0100 [sslvpn:DEBG] vpn_connection:2642 Start IO loop
20240126 16:00:56.189 TZ=+0100 [sslvpn:INFO] main:1460 State: Connected
20240126 16:03:28.089 TZ=+0100 [sslvpn:EROR] vpn_connection:911 IO read remote failed: TCP connection timed out
20240126 16:03:28.089 TZ=+0100 [sslvpn:EROR] vpn_connection:1829 Error: Disconnected because of error: Read packet from tunnel failed.
20240126 16:03:28.091 TZ=+0100 [sslvpn:DEBG] dns:210 Read DNS backup /etc/nm_resolv.forticlient.backup: [{"default_dev_name":"enp0s31f6","default_connection_name":"enp0s31f6","ignore_auto_dns":"no","system_dns_list":"","system_dns_search_domain_list":"","current_dns_list":"xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx","vpn_dev_name":"fctvpn736cd216"},{"default_dev_name":"wlp0s20f3","default_connection_name":"su","ignore_auto_dns":"no","system_dns_list":"","system_dns_search_domain_list":"","current_dns_list":"xxx.xxx.xxx.xxx","vpn_dev_name":"fctvpn44519b59"}]
20240126 16:03:28.091 TZ=+0100 [sslvpn:DEBG] dns:547 Restoring DNS config 0:
20240126 16:03:28.091 TZ=+0100 [sslvpn:DEBG] dns:548 Device name: enp0s31f6
20240126 16:03:28.091 TZ=+0100 [sslvpn:DEBG] dns:549 Connection name: enp0s31f6
20240126 16:03:28.091 TZ=+0100 [sslvpn:DEBG] dns:550 Ignore auto DNS: no
20240126 16:03:28.091 TZ=+0100 [sslvpn:DEBG] dns:551 DNS list:
20240126 16:03:28.091 TZ=+0100 [sslvpn:DEBG] dns:552 DNS search domain list:
20240126 16:03:28.091 TZ=+0100 [sslvpn:DEBG] dns:553 VPN device name: fctvpn736cd216
20240126 16:03:28.172 TZ=+0100 [sslvpn:DEBG] dns:502 Command re-apply settings failed with status 1536.
20240126 16:03:28.172 TZ=+0100 [sslvpn:DEBG] dns:547 Restoring DNS config 1:
20240126 16:03:28.172 TZ=+0100 [sslvpn:DEBG] dns:548 Device name: wlp0s20f3
20240126 16:03:28.172 TZ=+0100 [sslvpn:DEBG] dns:549 Connection name: su
20240126 16:03:28.172 TZ=+0100 [sslvpn:DEBG] dns:550 Ignore auto DNS: no
20240126 16:03:28.172 TZ=+0100 [sslvpn:DEBG] dns:551 DNS list:
20240126 16:03:28.172 TZ=+0100 [sslvpn:DEBG] dns:552 DNS search domain list:
20240126 16:03:28.172 TZ=+0100 [sslvpn:DEBG] dns:553 VPN device name: fctvpn44519b59
20240126 16:03:28.250 TZ=+0100 [sslvpn:DEBG] dns:585 Backup file saved
20240126 16:03:28.263 TZ=+0100 [sslvpn:DEBG] vpn_util:260 List fctvpn connection: su
fctvpn44519b59
lo
Wired connection 1
enp0s13f0u1u4
enp0s31f6
20240126 16:03:28.263 TZ=+0100 [sslvpn:DEBG] dns:609 Try to delete connection fctvpn44519b59
20240126 16:03:28.275 TZ=+0100 [sslvpn:DEBG] dns:632 default interface restore: 0, vpn interface restore: 1
20240126 16:03:28.275 TZ=+0100 [sslvpn:EROR] vpn_connection:2871 Some error occurred when restore DNS.
20240126 16:03:28.275 TZ=+0100 [sslvpn:DEBG] mtu:116 Restore MTU.
20240126 16:03:28.275 TZ=+0100 [sslvpn:DEBG] mtu:120 No MTU backup file was found. Skip.
20240126 16:03:28.275 TZ=+0100 [sslvpn:DEBG] route:160 clean up route...
20240126 16:03:28.276 TZ=+0100 [sslvpn:DEBG] route:205 failed to delete route: dst=xxx.xxx.xxx.xxx, mask=255.255.255.255, gw=xxx.xxx.xxx.xxx, dev=wlp0s20f3
20240126 16:03:28.276 TZ=+0100 [sslvpn:DEBG] route:205 failed to delete route: dst=xxx.xxx.xxx.xxx, mask=255.255.255.255, gw=0.0.0.0, dev=wlp0s20f3
20240126 16:03:28.279 TZ=+0100 [sslvpn:DEBG] dns:210 Read DNS backup /etc/nm_resolv.forticlient.backup: [{"default_dev_name":"enp0s31f6","default_connection_name":"enp0s31f6","ignore_auto_dns":"no","system_dns_list":"","system_dns_search_domain_list":"","current_dns_list":"xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx","vpn_dev_name":"fctvpn736cd216"}]
20240126 16:03:28.279 TZ=+0100 [sslvpn:DEBG] dns:547 Restoring DNS config 0:
20240126 16:03:28.279 TZ=+0100 [sslvpn:DEBG] dns:548 Device name: enp0s31f6
20240126 16:03:28.279 TZ=+0100 [sslvpn:DEBG] dns:549 Connection name: enp0s31f6
20240126 16:03:28.279 TZ=+0100 [sslvpn:DEBG] dns:550 Ignore auto DNS: no
20240126 16:03:28.279 TZ=+0100 [sslvpn:DEBG] dns:551 DNS list:
20240126 16:03:28.279 TZ=+0100 [sslvpn:DEBG] dns:552 DNS search domain list:
20240126 16:03:28.279 TZ=+0100 [sslvpn:DEBG] dns:553 VPN device name: fctvpn736cd216
20240126 16:03:28.384 TZ=+0100 [sslvpn:DEBG] dns:502 Command re-apply settings failed with status 1536.
20240126 16:03:28.389 TZ=+0100 [sslvpn:DEBG] dns:585 Backup file saved
20240126 16:03:28.399 TZ=+0100 [sslvpn:DEBG] vpn_util:260 List fctvpn connection: su
##############################################################

Afterwards the FortiClient starts to loop over and over again on the same process.

I hope somebody can help us to solve this issue.

Thanks in advance for your support in this case.

Have a great weekend!

Johannes

FortiClient  #SSL-VPN