Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mahmood_Fraidoon
New Contributor

IPSec VPN is up but can't access anything

Hi

 

I have been running IPsec VPN for years without any issue. all of a sudden my users started to complain that they are unable to access the internal network.

 

VPN shows its connected

fortigate log shows incoming ping requests from client

client receives request timed out

my firewall is disabled and I uninstalled antivirus from the client

I tried different versions of forticlient and different firmwares of fortigate

I noticed the problem is with windows 10.

 

when I disconnect forticlient and connect again ping works fine for few minutes then the same problem happens again

 

any idea?

4 REPLIES 4
Toshi_Esumi
Esteemed Contributor III

Did you recently upgrade either the FGT or those client machines' OS? If the tunnel is really up the IKE debugging (diag debug app ike -1) wouldn't show anything suspicious. Then you need to run flow debug (diag debug flow) to see what happens to those un-returned ping packets.

Mahmood_Fraidoon

I have done more testing and noticed the problem occurs when I use wifi routers (from the same ISP).

 

I tried connecting from my ADSL and mobile hotspot connectivity and didn't face any issue (both are from the same ISP of my wifi)

 

not sure if it makes any sense that my ISP is disturbing VPN traffic on Wifi but allowing on ADSL and mobile.

Mahmood_Fraidoon

I have enabled debug log on forticlient and below is what i get

 

29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: <?xml version='1.0' encoding='utf-8'?><sslvpn-tunnel ver='2' dtls='1' patch='1'><dtls-config heartbeat-interval='10' heartbeat-fail-count='10' heartbeat-idle-timeout='10' client-hello-timeout='10' /><tunnel-method value='ppp' /><tunnel-method value='tun' /><fos platform='FG100D' major='6' minor='02' patch='2' build='1010' branch='1010' /><auth-ses check-src-ip='1' tun-connect-without-reauth='0' tun-user-ses-timeout='30' /><client-config save-password='off' keep-alive='off' auto-connect='off' /><ipv4><assigned-addr ipv4='172.21.10.1' /><split-tunnel-info><addr ip='10.1.5.0' mask='255.255.255.0' /><addr ip='192.168.1.0' mask='255.255.255.0' /><addr ip='192.168.10.0' mask='255.255.255.0' /><addr ip='192.168.20.0' mask='255.255.255.0' /><addr ip='192.168.30.0' mask='255.255.255.0' /><addr ip='192.168.50.0' mask='255.255.255.0' /><addr ip='192.168.100.0' mask='255.255.255.0' /><addr ip='192.168.40.0' mask='255.255.255.0' /><addr ip='172.17.2.10' mask='255.255.255.255' /><addr ip='192.168.2.0' mask='255.255.255.0' /><addr ip='172.17.1.10' mask='255.255.255.255' /><addr ip='10.1.5.0' mask='255.255.255.0' /></split-tunnel-info></ipv4><idle-timeout val='10000' /><auth-timeout val='28800' /></sslvpn-tunnel> 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: ====== 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: GetWebPage(): bRC=1,CT=(text/xml) 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: CSvlauncherDlg::ConnectFortiSslvpn() Called. 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: ConnName =NFH 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: Server =217.17.240.158:10443?4zC1VK31cHNMWDlcMKikQvhjYEuxGRA0aneNdOTD+fEK6TPTegkrK/F2JFYTrsQz4Q9F8Ksup4xksZCPhx+3/DlhU5P6sqiyVPdWWBKTwGG8Jq0Y5RLSFN7GZrinw/Cj6TBwjSiF/4OU4jjvUmPwPghfxcs/vrgVOPEwPwHVh4OPo/RhA8Q8Cy86SJNp25b/X4J3VevliLo9/ukXnj7Etdcas9TlWZf/PkqE0E0w4UvfcBxEULnswSnG8ANJbm12 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: SplitTunnelInfo=10.1.5.0/255.255.255.0,192.168.1.0/255.255.255.0,192.168.10.0/255.255.255.0,192.168.20.0/255.255.255.0,192.168.30.0/255.255.255.0,192.168.50.0/255.255.255.0,192.168.100.0/255.255.255.0,192.168.40.0/255.255.255.0,172.17.2.10/255.255.255.255,192.168.2.0/255.255.255.0,172.17.1.10/255.255.255.255,10.1.5.0/255.255.255.0 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: ExclusiveRouting=0 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: ConnOptionsFlagBits=00000002 29/10/2019 11:27:24 PM Debug VPN FortiSslvpn: ProxyInfo= 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: 7684: tunnel_close() called 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: 7684: sock_close() called:-1 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: SSL VPN Tunnel is Disconnected ********* 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: <<<<DoConnect(): bRC=0, ErrorCode=-20199 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: GetWebPage(): URL=FortiClientSslvpnClearCacheUrl/for/WininetLibrary/1/2/3/4/5/6/7/8/9/0/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: ====== 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: <HTML> <HEAD> <META http-equiv="Content-Type" content="text/html; charset=utf-8"> <META HTTP-EQUIV="Pragma" CONTENT="no-cache"> <link href="/style.css?q=ff1adf71b95ffc214660f39ac7405dec" rel="stylesheet" type="text/css"> <script type='text/javascript' src='/remote/fgt_lang?lang=en'></script> </head> <body class="main"> <table class="container" cellpadding="0" cellspacing="0"> <tr> <td><table class="dialog" width=300 align="center" cellpadding="0" cellspacing="0"> <tr> <td><table class="header" cellpadding="0" cellspacing="0"> <tr> <td id="err_title"></td> </tr> </table></td> </tr> <script>document.getElementById('err_title').innerHTML=fgt_lang['error'];</script> <tr> <td class="body" height=100><table class="body"><tr><td id='err_val' title='403' align="center"> <script> var errval_elem=document.getElementById('err_val'); var errval=errval_elem.getAttribute('title').split(','); var err_str = fgt_lang[errval[0]]; if (err_str == undefined) { errval_elem.innerHTML = "some unknown error!<br>"; } else { if (errval.length == 2) { err_str = err_str.replace("%d", errval[1]); } errval_elem.innerHTML = err_str; } </script></td></tr></table></td> </tr> <tr><td> <table class="footer" cellpadding="0" cellspacing="0"> <tr><td> <input id="ok_button" type="button" value="" onclick="chkbrowser()" style="width:80px"> </td></tr> </table> </td></tr> </table> </body> <script language = "javascript"> document.getElementById('ok_button').value=fgt_lang['ok']; function chkbrowser() { if (window.location.pathname == "/remote/login") window.location.reload(); else window.location.href = "/remote/login";} </script> </html> 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: ====== 29/10/2019 11:27:26 PM Debug VPN FortiSslvpn: GetWebPage(): bRC=1,CT=(text/html) 29/10/2019 11:27:26 PM Error VPN id=96603 user=Mahmood msg="SSLVPN tunnel connection failed (Error=-20199)." remotegw=217.17.240.158 vpnstate=connected vpntunnel=NFH vpntype=ssl vpnuser=mfraidoon 29/10/2019 11:27:31 PM Notice VPN date=2019-10-29 time=23:27:30 logver=1 type=traffic level=notice sessionid=1983349504 hostname=DESKTOP-PAPPKCH pcdomain= uid=743CD24DC69A4CF3BC8176D17C1BA348 devid=FCT8003027578809 fgtserial=N/A emsserial=N/A regip=N/A srcname=sslvpn srcproduct=N/A srcip=172.21.10.1 srcport=N/A direction=outbound dstip=217.17.240.158 remotename=N/A dstport=10443 user=mfraidoon proto=6 rcvdbyte=25769808684 sentbyte=25769819030 utmaction=passthrough utmevent=vpn threat=disconnect vd=N/A fctver=6.2.0.0780 os="Microsoft Windows 10 Professional Edition, 64-bit (build 10240)" usingpolicy="" service= url=N/A userinitiated=0 browsetime=N/A 29/10/2019 11:27:31 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): Wait(hEventOverLapped) OK. 29/10/2019 11:27:31 PM Debug VPN FortiSslvpn: before ConnectNamedPipe 29/10/2019 11:27:31 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): rc=0, err=997 29/10/2019 11:27:31 PM Debug VPN FortiSslvpn: _ReceiveMessage: (000006C0) 29/10/2019 11:27:31 PM Debug VPN FortiSslvpn: Broken pipe! Client is exited (3). 29/10/2019 11:27:31 PM Information VPN id=96600 user=Mahmood msg="SSLVPN tunnel status" vpnstate=connected vpntype=ssl 29/10/2019 11:27:41 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): Wait(hEventOverLapped) OK. 29/10/2019 11:27:41 PM Debug VPN FortiSslvpn: before ConnectNamedPipe 29/10/2019 11:27:41 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): rc=0, err=997 29/10/2019 11:27:41 PM Debug VPN FortiSslvpn: _ReceiveMessage: (00000634) 29/10/2019 11:27:41 PM Debug VPN FortiSslvpn: Broken pipe! Client is exited (3). 29/10/2019 11:27:51 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): Wait(hEventOverLapped) OK. 29/10/2019 11:27:51 PM Debug VPN FortiSslvpn: before ConnectNamedPipe 29/10/2019 11:27:51 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): rc=0, err=997 29/10/2019 11:27:51 PM Debug VPN FortiSslvpn: _ReceiveMessage: (000005E8) 29/10/2019 11:27:51 PM Debug VPN FortiSslvpn: Broken pipe! Client is exited (3). 29/10/2019 11:28:01 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): Wait(hEventOverLapped) OK. 29/10/2019 11:28:01 PM Debug VPN FortiSslvpn: before ConnectNamedPipe 29/10/2019 11:28:01 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): rc=0, err=997 29/10/2019 11:28:01 PM Debug VPN FortiSslvpn: _ReceiveMessage: (00000698) 29/10/2019 11:28:01 PM Debug VPN FortiSslvpn: Broken pipe! Client is exited (3). 29/10/2019 11:28:11 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): Wait(hEventOverLapped) OK. 29/10/2019 11:28:11 PM Debug VPN FortiSslvpn: before ConnectNamedPipe 29/10/2019 11:28:11 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): rc=0, err=997 29/10/2019 11:28:11 PM Debug VPN FortiSslvpn: _ReceiveMessage: (000005DC) 29/10/2019 11:28:11 PM Debug VPN FortiSslvpn: Broken pipe! Client is exited (3). 29/10/2019 11:28:21 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): Wait(hEventOverLapped) OK. 29/10/2019 11:28:21 PM Debug VPN FortiSslvpn: before ConnectNamedPipe 29/10/2019 11:28:21 PM Debug VPN FortiSslvpn: Init:ConnectNamedPipe(): rc=0, err=997

 

still no idea what to do

emnoc
Esteemed Contributor III

What does "diag debug flow" show? Also what is happening at the FC route table on this win10 machine? Also is the problem only win10 or do you have other winver?

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors