- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Forticlient VPN - Hangs on "Connecting" on fir...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forticlient VPN - Hangs on "Connecting" on first attempt.
This affects various versions from 5.0.7 through 5.2.1 (at least).
Our Fortigate VPN server is current 5.0.9.
Frequently, the first (at least) to establish a VPN connects hangs when connecting. If you then disconnect, most often the second an subsequent attempts succeed. Our user community's patience in dealing with this inconvenience is fading.
Here is quote from one user.. " I’ve had this recurring issue with the FCL VPN, despite all the configuration changes over time, where I cannot connect on the first try. I can immediately connect on the second try. I have tried a variety of scenarios (rebooting, not-rebooting, trying different networks, disabling IPV6 etc, disabling security services like EMET) and none of these things have any effect on the result."
We have deployed several different VPN profiles - some used mode config and other use DHCP over ipsec. The problem seems worse with the DHCP profiles, but does occur with the others as well. Any suggested on a possible cause?
Thanks
Rich Mayer
Rich Mayer
LGS Innovations
Rich Mayer LGS Innovations
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's hard to tell by only reading your description. But if you look at FortiGate debug log, it will probably show you what was going on.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same Problem here over years, kind of frustrating. From forticient 4.3 to 5.4, fortios running on the 100D 5.0x to 5.28. Setup is IPSEC VPN with certificates. Different WAN links on the fortigate, different client connection over DSL or mobile networks, no difference. According to the logfile it happens already after the first phase 1 message, Client log says "negotiate_error No response from the peer, phase1 retransmit reaches maximum count..." vpntunnel=XXX vpntype=ipsec". Second attempt works at almost 90%.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the log files (from FortiClient and FortiGate), do you see any certificate verification failed or any other error?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not really errors, the fortigate tries to send P1 response but fails. Using main or aggressive mode or enabling IKE fragmentation on the client config makes no difference. We are using client certificates with peer groups for authentication reasons
Here the logs, the yellow lines looks suspicious
ike 0:CP-FC:484: responder:main mode get 2nd message... ike 0:CP-FC:484: NAT detected: PEER [style="background-color: #ffff00;"]ike 0:CP-FC: building CERTREQ for peer client01[/style] [style="background-color: #ffff00;"]ike 0:CP-FC: unable to build CERTREQ for client01[/style] [style="background-color: #ffff00;"]ike 0:CP-FC: building CERTREQ for peer client02[/style] [style="background-color: #ffff00;"]ike 0:CP-FC: unable to build CERTREQ for client02[/style] [style="background-color: #ffff00;"]ike 0:CP-FC: building CERTREQ for any[/style] ike 0:CP-FC:483: sent IKE msg (ident_r2send): 95.117.33.150:500->89.204.130.72:16146, len=465, id=7919776837ff80db/afef9b5650fff93e [style="background-color: #ff9900;"]ike 0: comes 89.204.130.72:16146->95.117.33.150:500,ifindex=3....[/style] ike 0: IKEv1 exchange=Identity Protection id=7919776837ff80db/afef9b5650fff93e len=356 ike 0:CP-FC:483: retransmission, re-send last message ike 0:CP-FC:483: sent IKE msg (retransmit): 95.117.33.150:500->89.204.130.72:16146, len=465, id=7919776837ff80db/afef9b5650fff93e ike 0:CP-FC:483: sent IKE msg (P1_RETRANSMIT): 95.117.33.150:500->89.204.130.72:16146, len=465, id=7919776837ff80db/afef9b5650fff93e ike 0: comes 89.204.130.72:16146->95.117.33.150:500,ifindex=3.... ike 0: IKEv1 exchange=Identity Protection id=7919776837ff80db/afef9b5650fff93e len=356 ike 0:CP-FC:483: retransmission, re-send last message ike 0:CP-FC:483: sent IKE msg (retransmit): 95.117.33.150:500->89.204.130.72:16146, len=465, id=7919776837ff80db/afef9b5650fff93e ike 0:CP-FC:483: negotiation timeout, deleting ike 0:CP-FC: connection expiring due to phase1 down ike 0:CP-FC: deleting ike 0:CP-FC: flushing ike 0:CP-FC: sending SNMP tunnel DOWN trap ike 0:CP-FC: flushed ike 0:CP-FC: reset NAT-T ike 0:CP-FC: deleted The second attempt works and then the logs are different in one point. ike 0:CP-FC:485: responder:main mode get 2nd message... ike 0:CP-FC:485: NAT detected: PEER [style="background-color: #ffff00;"]ike 0:CP-FC: sending 1 CERTREQ payload[/style] ike 0:CP-FC:485: sent IKE msg (ident_r2send): 95.117.33.150:500->89.204.130.72:14943, len=361, id=a2611a8be1a0c76f/3855a1dd911dc2e5 [style="background-color: #ff9900;"]ike 0: comes 89.204.130.72:13539->95.117.33.150:4500,ifindex=3....[/style] ike 0: IKEv1 exchange=Identity Protection id=a2611a8be1a0c76f/3855a1dd911dc2e5 len=1324 ike 0:CP-FC:485: responder: main mode get 3rd message...
I just noticed another difference (marked in orange):
In the first failed connection attempt the forticlient answers to the fortigate on port 500, on the second on 4500, which should be the correct port because of the NAT detection...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I opened a support case regarding this issue. It's annoying, especially for users who are travelling and just quickly want to check their emails etc...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is that fortclient 6.0 inst compatible with your SO. Just download an older verson of fortclient, and the problem will be solved.
Related Posts
Labels
-
FortiGate
6,457 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.