Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- FortiClient Remote Access IPsec-over-TCP not worki...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiClient Remote Access IPsec-over-TCP not working
Hi, I am running FortiOS 7.4.7 on a FortiGate-60F and am trying to migrate from SSLVPN to IPsec VPN.
I've managed to configure IPsec (IKEv2) dial-up to work fine, but I notice that when I set the mode to IPSec over TCP, FortiClient (v7.4.3) does not connect and times out. UDP mode works perfectly fine.
I also notice that TCP 4500 is not one of the local-in policies on the firewall.
Does a local-in policy need to be configured for this to work? Has anyone had any experience with this?
Thank you!
Labels:
- Labels:
-
FortiClient
-
FortiGate
60 REPLIES 60
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I managed to fixed the issue. Must select DH group 14 or above on FortiClient if you are using the dialup vpn template on FortiGate.
Running FortiOS 7.4.8 and FortiClient 7.4.3 work well with IKE TCP
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In Phase1 or PFS in Phase 2? Must be something else, I always use >DH14 and tried Phase 2 with and without PFS, it didn't help on 7.6.3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
On my side seems to work FortiClient IPSec over TCP (port tcp/443 & udp/500) only with a local user group(ldap broken I guess) with the 7.4.3 version + FGT 7.4.8
Right with only one DH 14 but with PFS
Need to uninstall the FCT if there was a previous upgrade and do a clean installation
And check network adapters from Fortinet in "Device-Manager". There were Fortinet Adapters with #2 or #3 at the end. Delete them, afterwars it started to work.
###
###
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are experiencing the same or a very similar issue. We are using udp-fallback-tcp because some of our users are in restrictive networks.
While UDP works without any problems, users who rely on TCP are encountering connection failures.
In the firewall's IKE debug log, we consistently see only the following three lines for TCP connections which fail:
ike V=root:accepts ike tcp-transport(vd=0, vrf=0, intf=0:45, <external-firewall-wan-ip>:443-><external-client-wan-ip>:49936 sock=43 refcnt=2 ph1=(nil)) (1).
ike V=root:deletes tcp-transport(vd=0, vrf=0, intf=0:45, <external-firewall-wan-ip>:443-><external-client-wan-ip>:49936 sock=43 refcnt=2 ph1=(nil)) (1).
ike V=root:destroys tcp-transport(vd=0, vrf=0, intf=0:45, <external-firewall-wan-ip>:443-><external-client-wan-ip>:49936 sock=43 refcnt=0 ph1=(nil)) (0).
On the client side, Wireshark shows that three packets are sent for a standard TCP 3-way handshake. After that, there is a pause of about 15–17 seconds, followed by a fourth packet with RST, ACK sent to the FortiGate.
Interestingly, TCP connections work fine on some other clients. I tried to reproduce the issue and was partially successful: a client forced to use TCP has a 50/50 chance of connecting. When clicking "Connect" in the client, it either connects successfully via TCP or fails with the same 3-way handshake and RST behavior, along with the same firewall log. Waiting a few seconds and trying again results in the same 50/50 chance behavior.
Some users, however, experience a permanent failure and are never able to connect via TCP.
Changing the default IKE TCP port to 4500 did not make any difference.
Has anyone found a workaround?
Configuration:
FortiOS v7.4.8
FortiClient VPN 7.4.3.1790
config vpn ipsec phase1-interface
edit "VPN_User"
set type dynamic
set interface "VLAN_2"
set ike-version 2
set local-gw <external-wan-ip>
set peertype any
set net-device enable
set mode-cfg enable
set proposal aes256-sha256 aes256gcm-prfsha256
set comments "VPN for employees (remote work)"
set dhgrp 14
set eap enable
set eap-identity send-request
set authusrgrp "LDAP_VPN_USER"
set transport udp-fallback-tcp
set fallback-tcp-threshold 10
set ipv4-start-ip 10.10.10.10
set ipv4-end-ip 10.10.10.240
set dns-mode auto
set ipv4-split-include "VPN_User_Allowed_NW_1"
set save-password enable
set psksecret ENC <key>
next
In the working case, the client proceeds with many additional events after HandleTunnelConnectRequest, such as Preflight_*, StartConnection, TunnelConnecting, etc.
In the error case, the client remains stuck in the Wait state after HandleTunnelConnectRequest, and no further events are triggered.
Client Log – Error Case:
[2025-07-29 19:00:29.8992854] [FortiVPN 161 debug] In state: TunnelConnectRequest
[2025-07-29 19:00:29.8992862] [FortiVPN 1107 debug] => fortivpn::StateMachine::HandleTunnelConnectRequest(Mobile Arbeit)
...
[2025-07-29 19:00:29.9027386] [FortiVPN 161 debug] In state: Wait
Client Log – Working Case:
[2025-07-29 19:31:41.8430029] [FortiVPN 161 debug] In state: TunnelConnectRequest
[2025-07-29 19:31:41.8430041] [FortiVPN 1107 debug] => fortivpn::StateMachine::HandleTunnelConnectRequest(Mobile Arbeit)
...
[2025-07-29 19:31:36.5124044] [FortiVPN 161 debug] In state: Wait
[2025-07-29 19:31:36.5767789] [FortiVPN 322 debug] fortivpn::IDataManager::ValidateSessionVPNs
[2025-07-29 19:31:36.5768208] [FortiVPN 101 debug] fortivpn::StateMachine::AddEvent type=15 (GlobalVPNEnvironmentChanged)
...
[2025-07-29 19:31:41.8429960] [FortiVPN 385 debug] Got event: 17 "TunnelConnectRequest"
[2025-07-29 19:31:41.8548741] [FortiVPN 385 debug] Got event: 18 "Preflight_EnvironmentCompliance"
...
[2025-07-29 19:31:42.0790388] [FortiVPN 385 debug] Got event: 28 "StartConnection"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for detailed investigation. I just want to say that is simply unbelievable that Forti dropped VPN over SSL, released IKE over TCP into production instead, it is simply does not work, potentially hurting millions of users, and they just keep silence with zero comments. The quintessence of irresponsibility.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am facing the exact same issue, did you manage to solve it?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am facing the exact same issue, did you manage to solve it?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Instead of auto, use tcp.
Vinay HM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using only tcp transport and i set it explicitly using
set transport tcp
I am trying with a w11 vm to replicate my user issues and it seems that the first connection is successfull but the other ones fail with the same ike message of @mycoolusername
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For us, simply setting "tcp" instead of "udp-fallback-tcp" didn’t work either. It turns out that most of the clients experiencing this issue were still running very old Windows builds, like 1809 or newer, but still outdated.
We reinstalled those machines with more recent Windows versions, and the problems were almost entirely resolved. So, it’s unclear whether the Windows reinstall itself helped or if the outdated Windows versions were the root cause.
That said, we’re still seeing this issue occasionally on some newer clients, but far less frequently than before.
Labels
-
FortiGate
10,528 -
FortiClient
2,140 -
FortiManager
886 -
5.2
687 -
FortiAnalyzer
675 -
5.4
638 -
FortiSwitch
581 -
FortiAP
558 -
FortiClient EMS
552 -
6.0
416 -
IPsec
413 -
SSL-VPN
373 -
FortiMail
371 -
5.6
362 -
FortiNAC
278 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
191 -
FortiAuthenticator
169 -
FortiGuard
159 -
5.0
152 -
Firewall policy
142 -
6.4
128 -
FortiGate-VM
127 -
FortiCloud Products
116 -
FortiSIEM
112 -
FortiGateCloud
112 -
FortiToken
111 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
73 -
SAML
71 -
DNS
71 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
67 -
Authentication
66 -
Certificate
64 -
RADIUS
59 -
LDAP
58 -
SSO
54 -
fortilink
54 -
FortiSandbox
53 -
NAT
52 -
FortiExtender
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
43 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
SNMP
25 -
SSID
25 -
Static route
25 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSoar
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiRecorder
11 -
Users
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2559 | |
| 1356 | |
| 795 | |
| 650 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.