We have been battling this for some time. Some clients are having issues while others do not. All have the same Endpoint Profile and Installer and are running 6.0.5. The installer has ALL components installed but only core product and VPN enabled via EMS.
We have telemetry going to EMS and NOT registering to the Fortigate so there should be no NAC control but it seems like NAC is the issue. Below are the information and debug logs for two different instances. Here is informational from the time a machine was started until it connected to VPN and disconnected:
6/11/2019 12:21:45 PM Information ESNAC id=96958 user=kfcoleman@FCBINC.COM msg="User social media information" social_srvc=os social_user=kfcoleman
6/11/2019 12:48:53 PM Information ESNAC (repeated 1 times in last 1629 sec) id=96958 user=kfcoleman@FCBINC.COM msg="User social media information" social_srvc=os social_user=kfcoleman
6/12/2019 5:55:21 AM Warning AntiVirus CBBS Callhome failed 1 times and try again 5 seconds later!
6/12/2019 5:55:26 AM Warning AntiVirus CBBS Callhome failed 2 times and try again 5 seconds later!
6/12/2019 5:55:31 AM Warning AntiVirus CBBS Callhome failed 3 times and try again 5 seconds later!
6/12/2019 5:55:36 AM Warning AntiVirus CBBS Callhome failed 4 times and try again 5 seconds later!
6/12/2019 5:55:41 AM Warning AntiVirus CBBS Callhome failed 5 times and try again 5 seconds later!
6/12/2019 5:55:45 AM Information AntiVirus CCloudScanner detected fct not registered now
6/12/2019 5:55:47 AM Warning AntiVirus CBBS Callhome failed 6 times and try again 5 seconds later!
6/12/2019 5:55:52 AM Warning AntiVirus CBBS Callhome failed 7 times and try again 5 seconds later!
6/12/2019 5:55:57 AM Warning AntiVirus CBBS Callhome failed 8 times and try again 5 seconds later!
6/12/2019 5:56:02 AM Warning AntiVirus CBBS Callhome failed 9 times and try again 5 seconds later!
6/12/2019 5:56:07 AM Warning AntiVirus CBBS Callhome failed 10 times and try again 5 seconds later!
6/12/2019 5:56:12 AM Warning AntiVirus CBBS Callhome failed 11 times and try again 5 seconds later!
6/12/2019 5:56:17 AM Warning AntiVirus CBBS Callhome failed 12 times and try again 5 seconds later!
6/12/2019 5:56:22 AM Warning AntiVirus CBBS Callhome failed 13 times and try again 10 minutest later!
6/12/2019 5:58:02 AM Information VPN id=96566 msg="negotiation information, loc_ip=172.20.10.5 loc_port=500 rem_ip=12.24.145.18 rem_port=500 out_if=0 vpn_tunnel=Corporate - Secondary - Comcast action=negotiate init=local mode=aggressive stage=1 dir=outbound status=success Initiator: sent 12.24.145.18 aggressiv" vpntunnel="Corporate - Secondary - Comcast" vpntype=ipsec
6/12/2019 5:58:02 AM Information VPN id=96566 msg="negotiation information, loc_ip=172.20.10.5 loc_port=4500 rem_ip=12.24.145.18 rem_port=4500 out_if=0 vpn_tunnel=Corporate - Secondary - Comcast action=negotiate init=local mode=aggressive stage=2 dir=outbound status=success Initiator: sent 12.24.145.18 aggress" vpntunnel="Corporate - Secondary - Comcast" vpntype=ipsec
6/12/2019 5:58:02 AM Information VPN id=96566 msg="negotiation information, loc_ip=172.20.10.5 loc_port=4500 rem_ip=12.24.145.18 rem_port=4500 out_if=0 vpn_tunnel=Corporate - Secondary - Comcast action=negotiate init=remote mode=xauth_client stage=0 dir=inbound status=success Responder: parsed 12.24.145.18 xau" vpntunnel="Corporate - Secondary - Comcast" vpntype=ipsec
6/12/2019 5:58:02 AM Information VPN id=96566 msg="negotiation information, loc_ip=172.20.10.5 loc_port=4500 rem_ip=12.24.145.18 rem_port=4500 out_if=0 vpn_tunnel=Corporate - Secondary - Comcast action=negotiate init=remote mode=xauth_client stage=2 dir=inbound status=success Responder: parsed 12.24.145.18 xau" vpntunnel="Corporate - Secondary - Comcast" vpntype=ipsec
6/12/2019 5:58:02 AM Information VPN id=96566 msg="negotiation information, loc_ip=172.20.10.5 loc_port=4500 rem_ip=12.24.145.18 rem_port=4500 out_if=0 vpn_tunnel=Corporate - Secondary - Comcast action=negotiate init=local mode=xauth_client stage=0 dir=inbound status=success Initiator: parsed 12.24.145.18 xaut" vpntunnel="Corporate - Secondary - Comcast" vpntype=ipsec
6/12/2019 5:58:02 AM Information VPN id=96566 msg="negotiation information, loc_ip=172.20.10.5 loc_port=4500 rem_ip=12.24.145.18 rem_port=4500 out_if=0 vpn_tunnel=Corporate - Secondary - Comcast action=negotiate init=remote mode=xauth_client stage=0 dir=inbound status=success Responder: parsed 12.24.145.18 xau" vpntunnel="Corporate - Secondary - Comcast" vpntype=ipsec
6/12/2019 5:58:03 AM Information VPN id=96566 msg="negotiation information, loc_ip=172.20.10.5 loc_port=4500 rem_ip=12.24.145.18 rem_port=4500 out_if=0 vpn_tunnel=Corporate - Secondary - Comcast action=negotiate init=local mode=quick stage=1 dir=outbound status=success Initiator: sent 12.24.145.18 quick mode m" vpntunnel="Corporate - Secondary - Comcast" vpntype=ipsec
6/12/2019 5:58:03 AM Information VPN id=96571 msg="locip=172.20.10.5 locport=4500 remip=12.24.145.18 remport=4500 outif=0 vpntunnel=Corporate - Secondary - Comcast action=install_sa, inspi=0x4400a8d1 outspi=0x3ff9816d Initiator: tunnel 172.20.10.5/12.24.145.18 install ipsec sa" vpntunnel="Corporate - Secondary - Comcast" vpntype=ipsec
6/12/2019 5:58:03 AM Information VPN id=96566 msg="negotiation information, loc_ip=172.20.10.5 loc_port=4500 rem_ip=12.24.145.18 rem_port=4500 out_if=0 vpn_tunnel=Corporate - Secondary - Comcast action=negotiate init=local mode=quick stage=2 dir=outbound status=success Initiator: sent 12.24.145.18 quick mode m" vpntunnel="Corporate - Secondary - Comcast" vpntype=ipsec
6/12/2019 5:58:03 AM Information VPN id=96560 msg="VPN tunnel status" vpnstate=connected vpntype=ipsec
6/12/2019 5:58:03 AM Notice VPN date=2019-06-12 time=05:58:03 logver=2 type=traffic level=notice sessionid=4164911744 hostname=STA03L69 pcdomain=fcbinc.com uid=63C21CA814AE47268DDA54E0C1589563 devid=FCT8000643515793 fgtserial=N/A emsserial=N/A regip=N/A srcname=ipsec srcproduct=N/A srcip=10.100.31.100 srcport=N/A direction=outbound dstip=12.24.145.18 remotename=N/A dstport=4500 user=kfcoleman proto=6 rcvdbyte=1040 sentbyte=4632 utmaction=passthrough utmevent=vpn threat=connect vd=N/A fctver=6.0.5.0209 os="Microsoft Windows 10 Enterprise Edition, 64-bit (build 17134)" usingpolicy="" service= url=N/A userinitiated=0 browsetime=N/A
6/12/2019 5:58:12 AM Information AntiVirus CCloudScanner detected fct registered to fgt
6/12/2019 5:58:13 AM Information VPN id=96560 msg="VPN tunnel status" vpnstate=disconnected vpntype=ipsec
6/12/2019 5:58:12 AM Information VPN (repeated 1 times in last 0 sec) id=96560 msg="VPN tunnel status" vpnstate=disconnected vpntype=ipsec
6/12/2019 5:58:13 AM Information Config id=96882 msg="Policy 'fcb-vpn-user' was received and applied"
6/12/2019 5:58:13 AM Notice VPN date=2019-06-12 time=05:58:12 logver=2 type=traffic level=notice sessionid=4164911744 hostname=STA03L69 pcdomain=something.com uid=63C21CA814AE47268DDA54E0C1589563 devid=FCT8000643515793 fgtserial=N/A emsserial=FCTEMS0000097287 regip=N/A srcname=ipsec srcproduct=N/A srcip=10.100.31.100 srcport=N/A direction=outbound dstip=12.24.145.18 remotename=N/A dstport=4500 user=kfcoleman proto=6 rcvdbyte=501120 sentbyte=224744 utmaction=passthrough utmevent=vpn threat=disconnect vd=fcm_root fctver=6.0.5.0209 os="Microsoft Windows 10 Enterprise Edition, 64-bit (build 17134)" usingpolicy="fcb-vpn-user" service= url=N/A userinitiated=0 browsetime=N/A
6/12/2019 5:58:14 AM Information VPN id=96560 msg="VPN tunnel status" vpnstate=disconnected vpntype=ipsec
6/12/2019 5:58:14 AM Notice VPN date=2019-06-12 time=05:58:13 logver=2 type=traffic level=notice sessionid=4164911744 hostname=STA03L69 pcdomain=fcbinc.com uid=63C21CA814AE47268DDA54E0C1589563 devid=FCT8000643515793 fgtserial=N/A emsserial=FCTEMS0000097287 regip=N/A srcname=ipsec srcproduct=N/A srcip=0.0.0.0 srcport=N/A direction=outbound dstip=12.24.145.18 remotename=N/A dstport=4500 user=kfcoleman proto=6 rcvdbyte=584016 sentbyte=254664 utmaction=passthrough utmevent=vpn threat=disconnect vd=fcm_root fctver=6.0.5.0209 os="Microsoft Windows 10 Enterprise Edition, 64-bit (build 17134)" usingpolicy="fcb-vpn-user" service= url=N/A userinitiated=0 browsetime=N/A
6/12/2019 5:58:18 AM Information AntiVirus CBBS Callhome success and next callhome = 86400 seconds later
6/12/2019 5:58:51 AM Information AntiVirus CCloudScanner detected fct not registered now
6/12/2019 8:52:28 AM Information AntiVirus CCloudScanner detected fct registered to fgt
6/12/2019 8:52:30 AM Information Config id=96882 msg="Policy 'fcb-vpn-user' was received and applied"
Attached are the same event but a different time with Debug enabled.
6/12/2019 5:58:12 AM Information AntiVirus CCloudScanner detected fct registered to fgt <- why register to Fortigate? Telemetry is NOT enabled on the interface and EMS is not instructing it to hit Fortigate as gateway
Debug logs attached. ESNAC seems to be the culprit but I can't understand why.... Also, we do not have our EMS open from the WAN so clients cannot register to it when offnet - I've seen instances when offnet and the client has all features enabled (AV, Web Filtering, Firewall, etc) - Why would this be? Seems like offnet it'd stay the same as when connected to EMS