Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Guy_L
New Contributor

FortiClient cannot configure routing tables on Kali Linux

Hi all!

I've been trying to use FortiClient to establish a VPN connection on my Kali Linux machine. The client works fine with Ubuntu on the same computer, but it fails with the same configuration in Kali. The Kali installation was fresh when I tried it, and with all the dependencies installed.

Here are the sslvpn logs in both machines for comparison:

  • Kali
[sslvpn:DEBG] dns:700 Disable DHCP auto DNS
[sslvpn:DEBG] dns:730 Set DNS server: x.x.x.x x.x.x.x
[sslvpn:DEBG] dns:760 Set DNS domain: xxxxxxxxxx
[sslvpn:DEBG] dns:790 NM reapply
[sslvpn:DEBG] dns:821 Setup VPN interface
[sslvpn:DEBG] dns:823 Set DNS server: x.x.x.x x.x.x.x
[sslvpn:DEBG] dns:853 Set DNS domain: xxxxxxxxxxx
[sslvpn:DEBG] dns:883 NM reapply
[sslvpn:DEBG] dns:898 Apply settings failed, try again after 1 sec
[sslvpn:DEBG] dns:898 Apply settings failed, try again after 1 sec
[sslvpn:DEBG] dns:898 Apply settings failed, try again after 1 sec
[sslvpn:DEBG] dns:151 Restart DNS service failed.
[sslvpn:DEBG] dns:161 Flush DNS cache failed.
[sslvpn:DEBG] route:99 route backup START
[sslvpn:DEBG] route:151 route backup DONE
[sslvpn:DEBG] route:237 begin route config
[sslvpn:DEBG] route:238 Remote IP: x.x.x.x
[sslvpn:DEBG] route:239 Local IP: x.x.x.x
[sslvpn:DEBG] route:240 Tunnel mode: Split tunnel
[sslvpn:DEBG] route:241 Exclusive routing: Disabled
[sslvpn:DEBG] route:299 Can't find dev for IP x.x.x.x (tun)
[sslvpn:EROR] vpn_connection:1303 Config routing table failed
[sslvpn:DEBG] dns:364 Restore DNS config
  • Ubuntu
[sslvpn:DEBG] dns:700 Disable DHCP auto DNS
[sslvpn:DEBG] dns:730 Set DNS server: x.x.x.x x.x.x.x
[sslvpn:DEBG] dns:760 Set DNS domain: xxxxxxxxxxxxxxxxx
[sslvpn:DEBG] dns:790 NM reapply
[sslvpn:DEBG] dns:821 Setup VPN interface
[sslvpn:DEBG] dns:823 Set DNS server: x.x.x.x x.x.x.x
[sslvpn:DEBG] dns:853 Set DNS domain: xxxxxxxxxxxxxxxxxxx
[sslvpn:DEBG] dns:883 NM reapply
[sslvpn:DEBG] dns:149 Restart DNS service successfully.
[sslvpn:DEBG] dns:159 Flush DNS cache successfully.
[sslvpn:DEBG] route:99 route backup START
[sslvpn:DEBG] route:151 route backup DONE
[sslvpn:DEBG] route:237 begin route config
[sslvpn:DEBG] route:238 Remote IP: x.x.x.x
[sslvpn:DEBG] route:239 Local IP: x.x.x.x

In the Kali sslvpn logs, the error happens when trying to configure the routing table.

I have also posted this image with journalctl logs from the Kali machine. There seems to be a problem with the Network Manager.

 

Thanks in advance.

12 REPLIES 12
ebujedo
Staff
Staff

Hello Guy_L

Ubuntu is officially supported according to our release notes, but Kali is not mentioned, you can have more information from the following link:
https://docs.fortinet.com/document/forticlient/7.2.0/linux-release-notes/136392/product-integration-...

Best regards.

 

Ezequiel.

Staff
Guy_L
New Contributor

Hi Ezequiel,

Isn't Debian 11 supported too? Then, since Kali is based on Debian 11, it should work on it too. I have just downloaded a VM with a Debian 11 image to test if the same issue occurs, but Forticlient is not even reporting sslvpn logs. The client seems to freeze when trying to establish the connection.

 

Thanks

Markus_M

Hi Guy,

 

based-on-Debian does not mean it is same as otherwise there is no need for Kali. Most tools you can get on Debian as well, but especially Kali in its idea might handle network traffic differently.

I cannot see if you're using wireless or a wired interface. You can maybe try the other type of interface. According to the journalctl output, the network manager is failing due to some arguments the network manager is not understanding but the standard debian/ubuntu would seem to understand.

As such I'd see if you can compare both of the scripts on Debian and Kali.

/etc/NetworkManager/dispatcher.d/01-ifupdown

Try also to verify the network interfaces. I believe Debian uses the new nomenclature for naming interfaces (enp0s3 for example), Kali seems to use the old (eth0).

 

Best regards,

 

Markus

kpa
New Contributor II

Same issue on Fedora 38. There seems to be a problem with the device being set to unmanaged when it needs to be up to be configured.

 

device (vpn00b09c95fd): state change: activated -> unmanaged (reason 'connection-assumed', sy
s-iface-state: 'managed')
...

...
...
audit: op="device-reapply" interface="vpn00b09c95fd" ifindex=13 pid=17027 uid=0 result="fail"
reason="Device is not activated"

 

"device-reapply" is tried 3 times before failing. I fixed this issue by bringing the device up before the last reapply fails.

 

$> sudo nmcli connection up vpn00b09c95fd

 

There may have been a change in the NetworkManager which needs to be incorporated into FortiClient.

 

#EDIT

Short script which fixes the problem:
https://gist.github.com/SydoxX/f40a9d4d7af414049b6e07092e8bbc2b

Regards, Konstantin
Regards, Konstantin
kpa
New Contributor II

I wrote a short script which fixes the problem. Simply execute it before connecting to the VPN.

 

https://gist.github.com/SydoxX/f40a9d4d7af414049b6e07092e8bbc2b#file-forti-fix-sh

Regards, Konstantin
Regards, Konstantin
danzone
New Contributor

Great! Thank you @kpa , this fixed the problem!  (I upgraded to Ubuntu 23.04, Forticlient 6.4, and then upgraded to Forticlient 7.0.7)

ldd3
New Contributor II

Unfortunately that does not work with FortiClient VPN 7.2.0.0644. Any idea why? The scripts exits after prompting the following messages:
Still waiting...
Device is unmanaged. Setting it to 'up' again...
Done.

fianitnz
New Contributor II

Same problem, Ubuntu 23.04

@kpa solution helps.

Please fix this problem.
forticlient vpn 7.0.7.0246

SteveH1
New Contributor II

Yes, same problem. It seems Ubuntu 23.04 has broken FortiClient (7.0.7).

 

When do you run the "sudo nmcli connection up" command?

 

Labels
Top Kudoed Authors