My FortiClient was recently updated to 7.0.11 and I am now having issues with not being able to pass 2 way traffic through the VPN tunnel. I was able to establish functional (2 way) tunnels on my home network prior to the upgrade 7.0.11.
With 7.0.11, the tunnel successfully connects but only passes 2 way traffic when tethered to a cell phone. When I am on my home network, the client shows the tunnel's 'Bytes Received' counter hanging at 33 bytes and times out after 120 seconds. When I tether to cell phones, the new client works fine.
The home network architecture is: ISP (Centurylink) <--1G Fiber--> ISP Modem (Zyxel in Bridge mode) <--Ethernet--> Router (Google Nest) <--Ethernet--> Asus AP <--Wifi--> Computer
The tethered network architectures are: ISP (Verizon or TMobile) <--Cell Network--> Cell Phone HotSpot (S20 or Pixel 8) <--Wifi--> Computer
I do not have admin access on the computer so I am not able to investigate logs. I've been advised by our help desk to ask my ISP to 'fix the problem', but can't imagine what to ask them to do and am looking for suggestions.
TIA, -Paul
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Paul
It is possible that your home public IP is banned on remote VPN server.
In all cases you need to ask remote FortiGate admin to check why you are not able to access the resources through VPN.
Greetings:
I’m sure it is not because my IP is banned. The SSLVPN tunnel would not come up at all if so. I am able to successfully establish the tunnel through the Nest router.
The important symptom is that I do not receive inbound data when going through the Nest router. I can’t imagine what is happening at the network layer that updating the FortiClient would cause return traffic to stop working.
-Paul
PS: The FW Admins don't know why it is not working. One had a similar issue and had the ISP 'fix' the network.
Hi @pmockett,
Is it possible that your home internal network overlaps with the internal network behind FortiGate?
Regards,
I am connecting with the FortiClient, so there is no appliance at home. The client could connect successfully until the version was updated. There have been no network changes (except experimentation for for TS purposes with turning uPNP and IPv6 on/off on the Google Nest router).
Created on 03-25-2024 08:13 AM Edited on 03-25-2024 08:17 AM
Sorry, I misread your question. There is no overlap between home and remote networks. Home is on 192 while remote is on 172 with routes to 10.x addresses. (And there have been no networking changes.)
I'm trying to understand what network functionality would allow the tunnel to come up, but then only allow 1 way traffic afterwards. The tunnel is just HTTPS on 443, correct?
The computer is configured to use a proxy. Would that catch FortiClient traffic? And if so, why would it break on the home connection but still work when tethered to cell phones?
I don't think it will work behind a proxy.
Greetings AEK:
Are you saying FortiClient traffic bypasses any local Windows proxy settings? Or that FortiClient won't work if it is behind a proxy.
I would agree with the latter, but it seem unlikely it is going though one since the proxy configuration is not new. Just the version of the FortiClient has changed.
-Paul
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.