Hi
I have been running IPsec VPN for years without any issue. all of a sudden my users started to complain that they are unable to access the internal network.
VPN shows its connected
fortigate log shows incoming ping requests from client
client receives request timed out
my firewall is disabled and I uninstalled antivirus from the client
I tried different versions of forticlient and different firmwares of fortigate
I noticed the problem is with windows 10.
when I disconnect forticlient and connect again ping works fine for few minutes then the same problem happens again
any idea?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Did you recently upgrade either the FGT or those client machines' OS? If the tunnel is really up the IKE debugging (diag debug app ike -1) wouldn't show anything suspicious. Then you need to run flow debug (diag debug flow) to see what happens to those un-returned ping packets.
I have done more testing and noticed the problem occurs when I use wifi routers (from the same ISP).
I tried connecting from my ADSL and mobile hotspot connectivity and didn't face any issue (both are from the same ISP of my wifi)
not sure if it makes any sense that my ISP is disturbing VPN traffic on Wifi but allowing on ADSL and mobile.
I have enabled debug log on forticlient and below is what i get
29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: <?xml version='1.0' encoding='utf-8'?><sslvpn-tunnel ver='2' dtls='1' patch='1'><dtls-config heartbeat-interval='10' heartbeat-fail-count='10' heartbeat-idle-timeout='10' client-hello-timeout='10' /><tunnel-method value='ppp' /><tunnel-method value='tun' /><fos platform='FG100D' major='6' minor='02' patch='2' build='1010' branch='1010' /><auth-ses check-src-ip='1' tun-connect-without-reauth='0' tun-user-ses-timeout='30' /><client-config save-password='off' keep-alive='off' auto-connect='off' /><ipv4><assigned-addr ipv4='172.21.10.1' /><split-tunnel-info><addr ip='10.1.5.0' mask='255.255.255.0' /><addr ip='192.168.1.0' mask='255.255.255.0' /><addr ip='192.168.10.0' mask='255.255.255.0' /><addr ip='192.168.20.0' mask='255.255.255.0' /><addr ip='192.168.30.0' mask='255.255.255.0' /><addr ip='192.168.50.0' mask='255.255.255.0' /><addr ip='192.168.100.0' mask='255.255.255.0' /><addr ip='192.168.40.0' mask='255.255.255.0' /><addr ip='172.17.2.10' mask='255.255.255.255' /><addr ip='192.168.2.0' mask='255.255.255.0' /><addr ip='172.17.1.10' mask='255.255.255.255' /><addr ip='10.1.5.0' mask='255.255.255.0' /></split-tunnel-info></ipv4><idle-timeout val='10000' /><auth-timeout val='28800' /></sslvpn-tunnel> 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: ====== 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: GetWebPage(): bRC=1,CT=(text/xml) 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: CSvlauncherDlg::ConnectFortiSslvpn() Called. 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: ConnName =NFH 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: Server =217.17.240.158:10443?4zC1VK31cHNMWDlcMKikQvhjYEuxGRA0aneNdOTD+fEK6TPTegkrK/F2JFYTrsQz4Q9F8Ksup4xksZCPhx+3/DlhU5P6sqiyVPdWWBKTwGG8Jq0Y5RLSFN7GZrinw/Cj6TBwjSiF/4OU4jjvUmPwPghfxcs/vrgVOPEwPwHVh4OPo/RhA8Q8Cy86SJNp25b/X4J3VevliLo9/ukXnj7Etdcas9TlWZf/PkqE0E0w4UvfcBxEULnswSnG8ANJbm12 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: SplitTunnelInfo=10.1.5.0/255.255.255.0,192.168.1.0/255.255.255.0,192.168.10.0/255.255.255.0,192.168.20.0/255.255.255.0,192.168.30.0/255.255.255.0,192.168.50.0/255.255.255.0,192.168.100.0/255.255.255.0,192.168.40.0/255.255.255.0,172.17.2.10/255.255.255.255,192.168.2.0/255.255.255.0,172.17.1.10/255.255.255.255,10.1.5.0/255.255.255.0 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: ExclusiveRouting=0 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: ConnOptionsFlagBits=00000002 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: ProxyInfo= 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: 7684: tunnel_close() called 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: 7684: sock_close() called:-1 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: SSL VPN Tunnel is Disconnected ********* 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: <<<<DoConnect(): bRC=0, ErrorCode=-20199 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: GetWebPage(): URL=FortiClientSslvpnClearCacheUrl/for/WininetLibrary/1/2/3/4/5/6/7/8/9/0/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: ====== 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: <HTML> <HEAD> <META http-equiv="Content-Type" content="text/html; charset=utf-8"> <META HTTP-EQUIV="Pragma" CONTENT="no-cache"> <link href="/style.css?q=ff1adf71b95ffc214660f39ac7405dec" rel="stylesheet" type="text/css"> <script type='text/javascript' src='/remote/fgt_lang?lang=en'></script> </head> <body class="main"> <table class="container" cellpadding="0" cellspacing="0"> <tr> <td><table class="dialog" width=300 align="center" cellpadding="0" cellspacing="0"> <tr> <td><table class="header" cellpadding="0" cellspacing="0"> <tr> <td id="err_title"></td> </tr> </table></td> </tr> <script>document.getElementById('err_title').innerHTML=fgt_lang['error'];</script> <tr> <td class="body" height=100><table class="body"><tr><td id='err_val' title='403' align="center"> <script> var errval_elem=document.getElementById('err_val'); var errval=errval_elem.getAttribute('title').split(','); var err_str = fgt_lang[errval[0]]; if (err_str == undefined) { errval_elem.innerHTML = "some unknown error!<br>"; } else { if (errval.length == 2) { err_str = err_str.replace("%d", errval[1]); } errval_elem.innerHTML = err_str; } </script></td></tr></table></td> </tr> <tr><td> <table class="footer" cellpadding="0" cellspacing="0"> <tr><td> <input id="ok_button" type="button" value="" onclick="chkbrowser()" style="width:80px"> </td></tr> </table> </td></tr> </table> </body> <script language = "javascript"> document.getElementById('ok_button').value=fgt_lang['ok']; function chkbrowser() { if (window.location.pathname == "/remote/login") window.location.reload(); else window.location.href = "/remote/login";} </script> </html> 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: ====== 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: GetWebPage(): bRC=1,CT=(text/html) 29/10/2019 11:27:26 PM Error VPN id=96603 user=Mahmood msg="SSLVPN tunnel connection failed (Error=-20199)." remotegw=217.17.240.158 vpnstate=connected vpntunnel=NFH vpntype=ssl vpnuser=mfraidoon 29/10/2019 11:27:31 PM Notice VPN date=2019-10-29 time=23:27:30 logver=1 type=traffic level=notice sessionid=1983349504 hostname=DESKTOP-PAPPKCH pcdomain= uid=743CD24DC69A4CF3BC8176D17C1BA348 devid=FCT8003027578809 fgtserial=N/A emsserial=N/A regip=N/A srcname=sslvpn srcproduct=N/A srcip=172.21.10.1 srcport=N/A direction=outbound dstip=217.17.240.158 remotename=N/A dstport=10443 user=mfraidoon proto=6 rcvdbyte=25769808684 sentbyte=25769819030 utmaction=passthrough utmevent=vpn threat=disconnect vd=N/A fctver=6.2.0.0780 os="Microsoft Windows 10 Professional Edition, 64-bit (build 10240)" usingpolicy="" service= url=N/A userinitiated=0 browsetime=N/A 29/10/2019 11:27:31 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): Wait(hEventOverLapped) OK. 29/10/2019 11:27:31 PM Debug VPN FortiSslvpn: before ConnectNamedPipe 29/10/2019 11:27:31 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): rc=0, err=997 29/10/2019 11:27:31 PM Debug VPN FortiSslvpn: _ReceiveMessage: (000006C0) 29/10/2019 11:27:31 PM Debug VPN FortiSslvpn: Broken pipe! Client is exited (3). 29/10/2019 11:27:31 PM Information VPN id=96600 user=Mahmood msg="SSLVPN tunnel status" vpnstate=connected vpntype=ssl 29/10/2019 11:27:41 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): Wait(hEventOverLapped) OK. 29/10/2019 11:27:41 PM Debug VPN FortiSslvpn: before ConnectNamedPipe 29/10/2019 11:27:41 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): rc=0, err=997 29/10/2019 11:27:41 PM Debug VPN FortiSslvpn: _ReceiveMessage: (00000634) 29/10/2019 11:27:41 PM Debug VPN FortiSslvpn: Broken pipe! Client is exited (3). 29/10/2019 11:27:51 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): Wait(hEventOverLapped) OK. 29/10/2019 11:27:51 PM Debug VPN FortiSslvpn: before ConnectNamedPipe 29/10/2019 11:27:51 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): rc=0, err=997 29/10/2019 11:27:51 PM Debug VPN FortiSslvpn: _ReceiveMessage: (000005E8) 29/10/2019 11:27:51 PM Debug VPN FortiSslvpn: Broken pipe! Client is exited (3). 29/10/2019 11:28:01 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): Wait(hEventOverLapped) OK. 29/10/2019 11:28:01 PM Debug VPN FortiSslvpn: before ConnectNamedPipe 29/10/2019 11:28:01 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): rc=0, err=997 29/10/2019 11:28:01 PM Debug VPN FortiSslvpn: _ReceiveMessage: (00000698) 29/10/2019 11:28:01 PM Debug VPN FortiSslvpn: Broken pipe! Client is exited (3). 29/10/2019 11:28:11 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): Wait(hEventOverLapped) OK. 29/10/2019 11:28:11 PM Debug VPN FortiSslvpn: before ConnectNamedPipe 29/10/2019 11:28:11 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): rc=0, err=997 29/10/2019 11:28:11 PM Debug VPN FortiSslvpn: _ReceiveMessage: (000005DC) 29/10/2019 11:28:11 PM Debug VPN FortiSslvpn: Broken pipe! Client is exited (3). 29/10/2019 11:28:21 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): Wait(hEventOverLapped) OK. 29/10/2019 11:28:21 PM Debug VPN FortiSslvpn: before ConnectNamedPipe 29/10/2019 11:28:21 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): rc=0, err=997
still no idea what to do
What does "diag debug flow" show? Also what is happening at the FC route table on this win10 machine? Also is the problem only win10 or do you have other winver?
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.