Hi all, I have an issue with 2 of my user when they use Forticlient SSL VPN to access office resources.
My current setup:
SD-WAN with 2 WAN members
SSL VPN which listens on both WAN interfaces
When they connect the VPN via WAN1, all is working as expected. When they connect the VPN via WAN2, the Forticlient connects and I can ping office resource, but as soon as they try browse file servers or use RDP or anything that requires more bandwidth than a ICMP packet, the traffic stops flowing through the VPN but the VPN stays connected. The route table stays the same, traffic is still trying to flow through the VPN. Ping request start timing out, RDP loses connection, File servers can't be browsed... Re-establishing the VPN gets the Ping requests flowing again but only until you try RDP or browse the file servers again. This happens every single time.
When the users change their ISP (both use different ISPs) or they connect to WAN1, the VPN starts working as expected.
Does anyone have any advice as to what the issue can be? This only happens to 2 users while the rest of the users don't experience this problem. I have thought about the possibility of MTU/MRU config on WAN2, but this didn't help either. it seems that traffic can flow over WAN2 for these users as long as the packets stay small in size?
When the VPN stops working, do you still see incoming packets from SSLVPN? Because the question is, if packets from VPN are received, just FortiGate is doing something wrong with them or if you will not even see any incoming packets. This would say that something wrong is with the VPN itself. Please run debug flow when you are not able to ping/connect to RDP server to see if there will be any hint what is going on.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.