I've been fielding complaints by users saying their VPN is dropping multiple times for no reason. It's been very puzzling, because the event logs do not show any real reason.
Today (early morning), I was connected with 5.2.4 on Windows 10, everything was fine. All of the sudden, got a notification that my VPN was disconnected. I checked the event logs and noticed that at the exact time of my disconnection, another VPN user connected.
The same thing happened once more a few minutes later. I reconnected and the event log shows the only other user that was connected, was dropped at the exact moment of my connection.
What is happening and why? Surely our Fortigate 80C can handle more than one user. I would say that we started having this problem after using 5.2.3 for Windows. The older versions of FortiClient didn't seem to do this. Also, we use ONLY the IPSEC VPN client. No anti-virus or security.
Each client is configured by restoring a single preconfigured setting (every client uses the same .conf file) and each user has their own login.
Any ideas would be appreciated.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Each client is configured by restoring a single preconfigured setting (every client uses the same .conf file) and each user has their own login.
Are sure that each user is unique? Sound slike multiple sessions allownace issues. I would re-create a flat new user and have him/her connect.
PCNSE
NSE
StrongSwan
emnoc wrote:Each client is configured by restoring a single preconfigured setting (every client uses the same .conf file) and each user has their own login.
Are sure that each user is unique? Sound slike multiple sessions allownace issues. I would re-create a flat new user and have him/her connect.
Yes, each user is created separately on our 80C with a unique username and password and each user uses that username and password to log in. We are not sharing a single username if that is what you are asking.
I notice in the logs that the instant a new connection comes up, that phase 2 is brought down on the existing connection when then phase 1 and then dead.
Hi All, I am facing another problem with the site to site vpn (fortinet to Cisco ASA). Frequently tunnel is getting down and it is not come up automatically. Manual restart is required to come up the tunnel. Auto Negotiate and keep alive are enabled already.
Anyone else faced this problem before ?
Thanks
Sijo
sijo.km wrote:This is really a separate issue and should not be posted under my thread. You would be better off starting your own thread with your issues so they can be addressed separately.Hi All, I am facing another problem with the site to site vpn (fortinet to Cisco ASA). Frequently tunnel is getting down and it is not come up automatically. Manual restart is required to come up the tunnel. Auto Negotiate and keep alive are enabled already.
Anyone else faced this problem before ?
Thanks
Sijo
I believe I have identified the issue. The config file I load into each Forticlient software has a hard-coded (manually set) DHCP IP address. So everyone is trying to use the same local IP, which I guess, it bumping off others. Not sure why it is suddenly doing that, but I have tested it setting client #2 with a different local IP and it works.
I tried setting up IPSEC-DHCP but could not get it to work. It is enabled under Phase 2 on the Fortigate 80C. I configured a DHCP server of type IPSEC on the internal interface, and tried both relay (pointing to our internal DHCP server) and regular (and defined a small pool of local IP addresses and settings). Neither worked. When I set the FortiClient to "DHCP over IPSEC" and have IPv4 Tunnel set with the destination VPN network, I can never connect. I saw some ESP errors in the log, but basically the client would not connect. Just sits there says "Connecting..." forever.
What am I missing about setting up IPSEC DHCP?
In case anyone has a similar issue with IPSEC DHCP, the problem was that I needed a firewall policy set that passes DHCP from internal to WAN using action ENCRYPT, and also on the DHCP service, the interface should be your WAN port, not the internal.
It's working now.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.