Hello together,
since one of the recent patches on my Rocky Linux workstation, my FortiClient has ceased to function properly.
First some information to my system:
NAME="Rocky Linux"
VERSION="9.3 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.3"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.3 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.3"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.3"
Kernel is:
5.14.0-362.13.1.el9_3.x86_64
The issue is that while I can log into the SSL-VPN and establish the connection, no packets are being sent back to me. So no connection can be build up:
I am currently using FortiClient version 7.2.3.0790 and have encountered an issue that seems to be related to the virtual interface configuration, potentially involving DNS or missing routes. The connection is a full tunnel to an up-to-date FortiGate. It's worth noting that this issue is not unique to me; colleagues with the same setup are also experiencing the problem. Older versions of FortiClient are no longer functioning, and a reinstallation did not resolve the issue. Since Windows and Mac clients can connect without any problems, I can only attribute the issue to the operating system or the FortiClient itself.
One of the errors I got is:
vpn_connection:1829 Error: Disconnected because of error: Read packet from tunnel failed.
I cannot share the whole log, but I added the most important entries below:
##############################################################
20240126 16:00:55.556 TZ=+0100 [sslvpn:INFO] sslvpn:824 Login successful
20240126 16:00:55.587 TZ=+0100 [sslvpn:INFO] main:1460 State: Configuring tunnel
20240126 16:00:55.601 TZ=+0100 [sslvpn:DEBG] vpn_util:260 Get connection name: su
20240126 16:00:55.601 TZ=+0100 [sslvpn:DEBG] vif:98 Using nmcli to allocate tun device.
20240126 16:00:55.821 TZ=+0100 [sslvpn:DEBG] vpn_connection:2339 FCT UID added: xxx
20240126 16:00:55.823 TZ=+0100 [sslvpn:DEBG] dns:292 Default route device name: wlp0s20f3
20240126 16:00:55.837 TZ=+0100 [sslvpn:DEBG] vpn_util:260 Get connection name: su
20240126 16:00:55.837 TZ=+0100 [sslvpn:DEBG] dns:304 DNS backup
20240126 16:00:55.848 TZ=+0100 [sslvpn:DEBG] vpn_util:260 Get auto DNS setting: no
20240126 16:00:55.858 TZ=+0100 [sslvpn:DEBG] vpn_util:260 Get static DNS: ipv4.dns:
20240126 16:00:55.869 TZ=+0100 [sslvpn:DEBG] vpn_util:260 Get system DNS search domain:
20240126 16:00:55.879 TZ=+0100 [sslvpn:DEBG] vpn_util:260 Get current DNS: IP4.DNS[1]:xxx.xxx.xxx.xxx
20240126 16:00:55.879 TZ=+0100 [sslvpn:DEBG] dns:347 Device name: wlp0s20f3
20240126 16:00:55.879 TZ=+0100 [sslvpn:DEBG] dns:348 Connection name: su
20240126 16:00:55.879 TZ=+0100 [sslvpn:DEBG] dns:349 Ignore auto DNS: no
20240126 16:00:55.879 TZ=+0100 [sslvpn:DEBG] dns:350 DNS list:
20240126 16:00:55.879 TZ=+0100 [sslvpn:DEBG] dns:351 DNS search domain list:
20240126 16:00:55.879 TZ=+0100 [sslvpn:DEBG] dns:352 Current DNS list: xxx.xxx.xxx.xxx
20240126 16:00:55.879 TZ=+0100 [sslvpn:DEBG] dns:353 VPN device name: fctvpn44519b59
20240126 16:00:55.879 TZ=+0100 [sslvpn:DEBG] dns:210 Read DNS backup /etc/nm_resolv.forticlient.backup: [{"default_dev_name":"enp0s31f6","default_connection_name":"enp0s31f6","ignore_auto_dns":"no","system_dns_list":"","system_dns_search_domain_list":"","current_dns_list":"xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx","vpn_dev_name":"fctvpn736cd216"}]
20240126 16:00:55.893 TZ=+0100 [sslvpn:DEBG] dns:411 Backup file saved
20240126 16:00:55.895 TZ=+0100 [sslvpn:DEBG] dns:210 Read DNS backup /etc/nm_resolv.forticlient.backup: [{"default_dev_name":"enp0s31f6","default_connection_name":"enp0s31f6","ignore_auto_dns":"no","system_dns_list":"","system_dns_search_domain_list":"","current_dns_list":"xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx","vpn_dev_name":"fctvpn736cd216"},{"default_dev_name":"wlp0s20f3","default_connection_name":"su","ignore_auto_dns":"no","system_dns_list":"","system_dns_search_domain_list":"","current_dns_list":"xxx.xxx.xxx.xxx","vpn_dev_name":"fctvpn44519b59"}]
20240126 16:00:55.895 TZ=+0100 [sslvpn:DEBG] dns:210 Read DNS backup /etc/nm_resolv.forticlient.backup: [{"default_dev_name":"enp0s31f6","default_connection_name":"enp0s31f6","ignore_auto_dns":"no","system_dns_list":"","system_dns_search_domain_list":"","current_dns_list":"xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx","vpn_dev_name":"fctvpn736cd216"},{"default_dev_name":"wlp0s20f3","default_connection_name":"su","ignore_auto_dns":"no","system_dns_list":"","system_dns_search_domain_list":"","current_dns_list":"xxx.xxx.xxx.xxx","vpn_dev_name":"fctvpn44519b59"}]
20240126 16:00:55.895 TZ=+0100 [sslvpn:DEBG] dns:978 Config DNS
20240126 16:00:55.896 TZ=+0100 [sslvpn:DEBG] dns:210 Read DNS backup /etc/nm_resolv.forticlient.backup: [{"default_dev_name":"enp0s31f6","default_connection_name":"enp0s31f6","ignore_auto_dns":"no","system_dns_list":"","system_dns_search_domain_list":"","current_dns_list":"xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx","vpn_dev_name":"fctvpn736cd216"},{"default_dev_name":"wlp0s20f3","default_connection_name":"su","ignore_auto_dns":"no","system_dns_list":"","system_dns_search_domain_list":"","current_dns_list":"xxx.xxx.xxx.xxx","vpn_dev_name":"fctvpn44519b59"}]
20240126 16:00:55.896 TZ=+0100 [sslvpn:DEBG] dns:658 Device name: wlp0s20f3
20240126 16:00:55.896 TZ=+0100 [sslvpn:DEBG] dns:662 Connection name: su
20240126 16:00:55.896 TZ=+0100 [sslvpn:DEBG] dns:696 Add DNS server: xxx.xxx.xxx.xxx
20240126 16:00:55.896 TZ=+0100 [sslvpn:DEBG] dns:696 Add DNS server: xxx.xxx.xxx.xxx
20240126 16:00:55.896 TZ=+0100 [sslvpn:DEBG] dns:696 Add DNS server: xxx.xxx.xxx.xxx
20240126 16:00:55.896 TZ=+0100 [sslvpn:DEBG] dns:703 Add DNS server: xxx.xxx.xxx.xxx
20240126 16:00:55.896 TZ=+0100 [sslvpn:DEBG] dns:703 Add DNS server: xxx.xxx.xxx.xxx
20240126 16:00:55.896 TZ=+0100 [sslvpn:DEBG] dns:703 Add DNS server: xxx.xxx.xxx.xxx
20240126 16:00:55.896 TZ=+0100 [sslvpn:DEBG] dns:723 Setup default interface
20240126 16:00:55.896 TZ=+0100 [sslvpn:DEBG] dns:729 Disable DHCP auto DNS
20240126 16:00:55.913 TZ=+0100 [sslvpn:DEBG] dns:744 Set IPv4 DNS servers: xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
20240126 16:00:55.929 TZ=+0100 [sslvpn:DEBG] dns:759 Set IPv4 DNS search domains:
20240126 16:00:55.946 TZ=+0100 [sslvpn:DEBG] dns:774 Re-apply settings.
20240126 16:00:55.958 TZ=+0100 [sslvpn:DEBG] dns:791 Setup VPN interface
20240126 16:00:55.958 TZ=+0100 [sslvpn:DEBG] dns:793 Set IPv4 DNS servers: xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
20240126 16:00:55.981 TZ=+0100 [sslvpn:DEBG] dns:808 Set IPv4 DNS search domains:
20240126 16:00:56.003 TZ=+0100 [sslvpn:DEBG] dns:823 Re-apply settings.
20240126 16:00:56.022 TZ=+0100 [sslvpn:DEBG] dns:182 Restart DNS service failed.
20240126 16:00:56.023 TZ=+0100 [sslvpn:DEBG] dns:192 Flush DNS cache failed.
20240126 16:00:56.023 TZ=+0100 [sslvpn:DEBG] route:102 route backup START
20240126 16:00:56.023 TZ=+0100 [sslvpn:DEBG] route:154 route backup DONE
20240126 16:00:56.023 TZ=+0100 [sslvpn:DEBG] route:396 begin route config
20240126 16:00:56.023 TZ=+0100 [sslvpn:DEBG] route:397 Remote IP: xxx.xxx.xxx.xxx
20240126 16:00:56.023 TZ=+0100 [sslvpn:DEBG] route:398 Local IP: xxx.xxx.xxx.xxx
20240126 16:00:56.023 TZ=+0100 [sslvpn:DEBG] route:399 Tunnel mode: Full tunnel
20240126 16:00:56.023 TZ=+0100 [sslvpn:DEBG] route:400 Exclusive routing: Disabled
20240126 16:00:56.023 TZ=+0100 [sslvpn:DEBG] route:474 Add the route for xxx.xxx.xxx.xxx(xxx.xxx.xxx.xxx)
20240126 16:00:56.024 TZ=+0100 [sslvpn:DEBG] route:487 route add: xxx.xxx.xxx.xxx,255.255.255.255,0,0.0.0.0,wlp0s20f3
20240126 16:00:56.024 TZ=+0100 [sslvpn:DEBG] route:222 router add default gw xxx.xxx.xxx.xxx
20240126 16:00:56.024 TZ=+0100 [sslvpn:DEBG] vpn_connection:2618 Start PPP
20240126 16:00:56.189 TZ=+0100 [sslvpn:DEBG] vpn_connection:2642 Start IO loop
20240126 16:00:56.189 TZ=+0100 [sslvpn:INFO] main:1460 State: Connected
20240126 16:03:28.089 TZ=+0100 [sslvpn:EROR] vpn_connection:911 IO read remote failed: TCP connection timed out
20240126 16:03:28.089 TZ=+0100 [sslvpn:EROR] vpn_connection:1829 Error: Disconnected because of error: Read packet from tunnel failed.
20240126 16:03:28.091 TZ=+0100 [sslvpn:DEBG] dns:210 Read DNS backup /etc/nm_resolv.forticlient.backup: [{"default_dev_name":"enp0s31f6","default_connection_name":"enp0s31f6","ignore_auto_dns":"no","system_dns_list":"","system_dns_search_domain_list":"","current_dns_list":"xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx","vpn_dev_name":"fctvpn736cd216"},{"default_dev_name":"wlp0s20f3","default_connection_name":"su","ignore_auto_dns":"no","system_dns_list":"","system_dns_search_domain_list":"","current_dns_list":"xxx.xxx.xxx.xxx","vpn_dev_name":"fctvpn44519b59"}]
20240126 16:03:28.091 TZ=+0100 [sslvpn:DEBG] dns:547 Restoring DNS config 0:
20240126 16:03:28.091 TZ=+0100 [sslvpn:DEBG] dns:548 Device name: enp0s31f6
20240126 16:03:28.091 TZ=+0100 [sslvpn:DEBG] dns:549 Connection name: enp0s31f6
20240126 16:03:28.091 TZ=+0100 [sslvpn:DEBG] dns:550 Ignore auto DNS: no
20240126 16:03:28.091 TZ=+0100 [sslvpn:DEBG] dns:551 DNS list:
20240126 16:03:28.091 TZ=+0100 [sslvpn:DEBG] dns:552 DNS search domain list:
20240126 16:03:28.091 TZ=+0100 [sslvpn:DEBG] dns:553 VPN device name: fctvpn736cd216
20240126 16:03:28.172 TZ=+0100 [sslvpn:DEBG] dns:502 Command re-apply settings failed with status 1536.
20240126 16:03:28.172 TZ=+0100 [sslvpn:DEBG] dns:547 Restoring DNS config 1:
20240126 16:03:28.172 TZ=+0100 [sslvpn:DEBG] dns:548 Device name: wlp0s20f3
20240126 16:03:28.172 TZ=+0100 [sslvpn:DEBG] dns:549 Connection name: su
20240126 16:03:28.172 TZ=+0100 [sslvpn:DEBG] dns:550 Ignore auto DNS: no
20240126 16:03:28.172 TZ=+0100 [sslvpn:DEBG] dns:551 DNS list:
20240126 16:03:28.172 TZ=+0100 [sslvpn:DEBG] dns:552 DNS search domain list:
20240126 16:03:28.172 TZ=+0100 [sslvpn:DEBG] dns:553 VPN device name: fctvpn44519b59
20240126 16:03:28.250 TZ=+0100 [sslvpn:DEBG] dns:585 Backup file saved
20240126 16:03:28.263 TZ=+0100 [sslvpn:DEBG] vpn_util:260 List fctvpn connection: su
fctvpn44519b59
lo
Wired connection 1
enp0s13f0u1u4
enp0s31f6
20240126 16:03:28.263 TZ=+0100 [sslvpn:DEBG] dns:609 Try to delete connection fctvpn44519b59
20240126 16:03:28.275 TZ=+0100 [sslvpn:DEBG] dns:632 default interface restore: 0, vpn interface restore: 1
20240126 16:03:28.275 TZ=+0100 [sslvpn:EROR] vpn_connection:2871 Some error occurred when restore DNS.
20240126 16:03:28.275 TZ=+0100 [sslvpn:DEBG] mtu:116 Restore MTU.
20240126 16:03:28.275 TZ=+0100 [sslvpn:DEBG] mtu:120 No MTU backup file was found. Skip.
20240126 16:03:28.275 TZ=+0100 [sslvpn:DEBG] route:160 clean up route...
20240126 16:03:28.276 TZ=+0100 [sslvpn:DEBG] route:205 failed to delete route: dst=xxx.xxx.xxx.xxx, mask=255.255.255.255, gw=xxx.xxx.xxx.xxx, dev=wlp0s20f3
20240126 16:03:28.276 TZ=+0100 [sslvpn:DEBG] route:205 failed to delete route: dst=xxx.xxx.xxx.xxx, mask=255.255.255.255, gw=0.0.0.0, dev=wlp0s20f3
20240126 16:03:28.279 TZ=+0100 [sslvpn:DEBG] dns:210 Read DNS backup /etc/nm_resolv.forticlient.backup: [{"default_dev_name":"enp0s31f6","default_connection_name":"enp0s31f6","ignore_auto_dns":"no","system_dns_list":"","system_dns_search_domain_list":"","current_dns_list":"xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx","vpn_dev_name":"fctvpn736cd216"}]
20240126 16:03:28.279 TZ=+0100 [sslvpn:DEBG] dns:547 Restoring DNS config 0:
20240126 16:03:28.279 TZ=+0100 [sslvpn:DEBG] dns:548 Device name: enp0s31f6
20240126 16:03:28.279 TZ=+0100 [sslvpn:DEBG] dns:549 Connection name: enp0s31f6
20240126 16:03:28.279 TZ=+0100 [sslvpn:DEBG] dns:550 Ignore auto DNS: no
20240126 16:03:28.279 TZ=+0100 [sslvpn:DEBG] dns:551 DNS list:
20240126 16:03:28.279 TZ=+0100 [sslvpn:DEBG] dns:552 DNS search domain list:
20240126 16:03:28.279 TZ=+0100 [sslvpn:DEBG] dns:553 VPN device name: fctvpn736cd216
20240126 16:03:28.384 TZ=+0100 [sslvpn:DEBG] dns:502 Command re-apply settings failed with status 1536.
20240126 16:03:28.389 TZ=+0100 [sslvpn:DEBG] dns:585 Backup file saved
20240126 16:03:28.399 TZ=+0100 [sslvpn:DEBG] vpn_util:260 List fctvpn connection: su
##############################################################
Afterwards the FortiClient starts to loop over and over again on the same process.
I hope somebody can help us to solve this issue.
Thanks in advance for your support in this case.
Have a great weekend!
Johannes
FortiClient #SSL-VPN
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello Johannes
First guess is that your Linux update has updated some OpenSSL libraries, supposed that FortiClient uses OS' OpenSSL library.
I'd try to find a way to force FortiClient to use its own lib (if available), otherwise I'd try either update the OS' OpenSSL lib to a newer or to a bit older version/patch.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.