Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Hennericho
New Contributor

Forticlient SSL VPN traffic flow problem

Hi all, I have an issue with 2 of my user when they use Forticlient SSL VPN to access office resources.

My current setup:

  • Fortigate 200E
  • SD-WAN with 2 WAN members
  • SSL VPN which listens on both WAN interfaces

When they connect the VPN via WAN1, all is working as expected. When they connect the VPN via WAN2, the Forticlient connects and I can ping office resource, but as soon as they try browse file servers or use RDP or anything that requires more bandwidth than a ICMP packet, the traffic stops flowing through the VPN but the VPN stays connected. The route table stays the same, traffic is still trying to flow through the VPN. Ping request start timing out, RDP loses connection, File servers can't be browsed... Re-establishing the VPN gets the Ping requests flowing again but only until you try RDP or browse the file servers again. This happens every single time. 

 

When the users change their ISP (both use different ISPs) or they connect to WAN1, the VPN starts working as expected.

 

Does anyone have any advice as to what the issue can be? This only happens to 2 users while the rest of the users don't experience this problem. I have thought about the possibility of MTU/MRU config on WAN2, but this didn't help either. it seems that traffic can flow over WAN2 for these users as long as the packets stay small in size?

2 REPLIES 2
akristof
Staff
Staff

Hi,

When the VPN stops working, do you still see incoming packets from SSLVPN? Because the question is, if packets from VPN are received, just FortiGate is doing something wrong with them or if you will not even see any incoming packets. This would say that something wrong is with the VPN itself. Please run debug flow when you are not able to ping/connect to RDP server to see if there will be any hint what is going on.

Adrian
vsahu
Staff
Staff

Hello,


If you change the packet size of the ping are you experiencing the same behavior ?

If it's a windows device have you checked if there are any pending windows updates or driver updates?

Take a sniffer and flow filter on the firewall it will give a better understanding of the issue.

About the ISP change on the client can you explain more? When both users change the ISP is it working as expected with WAN2 also or not?

Flow filter :

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

Sniffer:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sn...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313

Regards,
Vishal
Labels
Top Kudoed Authors