Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lancorp
New Contributor

Created on ‎08-07-2015 06:14 AM

IPSEC clients bumped off when new IPSEC client connects

I've been fielding complaints by users saying their VPN is dropping multiple times for no reason.  It's been very puzzling, because the event logs do not show any real reason.

Today (early morning), I was connected with 5.2.4 on Windows 10, everything was fine.  All of the sudden, got a notification that my VPN was disconnected.  I checked the event logs and noticed that at the exact time of my disconnection, another VPN user connected.  

The same thing happened once more a few minutes later.  I reconnected and the event log shows the only other user that was connected, was dropped at the exact moment of my connection.

What is happening and why?  Surely our Fortigate 80C can handle more than one user.  I would say that we started having this problem after using 5.2.3 for Windows.  The older versions of FortiClient didn't seem to do this.    Also, we use ONLY the IPSEC VPN client.  No anti-virus or security.  

Each client is configured by restoring a single preconfigured setting (every client uses the same .conf file) and each user has their own login.

 

Any ideas would be appreciated.

4626
0 Kudos
6 REPLIES 6
emnoc
Esteemed Contributor III

Created on ‎08-07-2015 09:15 AM

Each client is configured by restoring a single preconfigured setting (every client uses the same .conf file) and each user has their own login.

 

Are sure that each user is unique? Sound slike multiple sessions allownace issues. I would re-create a flat new user and have him/her connect.

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2845
0 Kudos
lancorp
New Contributor
In response to emnoc

Created on ‎08-07-2015 09:35 AM

emnoc wrote:

Each client is configured by restoring a single preconfigured setting (every client uses the same .conf file) and each user has their own login.

 

Are sure that each user is unique? Sound slike multiple sessions allownace issues. I would re-create a flat new user and have him/her connect.

 

Yes, each user is created separately on our 80C with a unique username and password and each user uses that username and password to log in.  We are not sharing a single username if that is what you are asking.

 

I notice in the logs that the instant a new connection comes up, that phase 2 is brought down on the existing connection when then phase 1 and then dead.

2845
0 Kudos
sijo_km
New Contributor
In response to emnoc

Created on ‎08-07-2015 09:41 AM

Hi All, I am facing another problem with the site to site vpn (fortinet to Cisco ASA). Frequently tunnel is getting down and it is not come up automatically. Manual restart is required to come up the tunnel. Auto Negotiate and keep alive are enabled already.

Anyone else faced this problem before ?

Thanks

Sijo

2845
0 Kudos
lancorp
New Contributor
In response to sijo_km

Created on ‎08-07-2015 11:26 AM

sijo.km wrote:

Hi All, I am facing another problem with the site to site vpn (fortinet to Cisco ASA). Frequently tunnel is getting down and it is not come up automatically. Manual restart is required to come up the tunnel. Auto Negotiate and keep alive are enabled already.

Anyone else faced this problem before ?

Thanks

Sijo

This is really a separate issue and should not be posted under my thread.  You would be better off starting your own thread with your issues so they can be addressed separately.

2845
0 Kudos
lancorp
New Contributor

Created on ‎08-07-2015 11:38 AM

I believe I have identified the issue.  The config file I load into each Forticlient software has a hard-coded (manually set) DHCP IP address.  So everyone is trying to use the same local IP, which I guess, it bumping off others.  Not sure why it is suddenly doing that, but I have tested it setting client #2 with a different local IP and it works.

 

I tried setting up IPSEC-DHCP but could not get it to work.  It is enabled under Phase 2 on the Fortigate 80C.  I configured a DHCP server of type IPSEC on the internal interface, and tried both relay (pointing to our internal DHCP server) and regular (and defined a small pool of local IP addresses and settings).  Neither worked.   When I set the FortiClient to "DHCP over IPSEC" and have IPv4 Tunnel set with the destination VPN network, I can never connect.  I saw some ESP errors in the log, but basically the client would not connect.  Just sits there says "Connecting..." forever.

 

What am I missing about setting up IPSEC DHCP?  

 

 

Preview file
23 KB
2845
0 Kudos
lancorp
New Contributor

Created on ‎08-08-2015 06:17 AM

In case anyone has a similar issue with IPSEC DHCP, the problem was that I needed a firewall policy set that passes DHCP from internal to WAN using action ENCRYPT, and also on the DHCP service, the interface should be your WAN port, not the internal.

 

It's working now.

2845
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.