Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
captainit
New Contributor II

Created on ‎09-24-2024 10:42 AM

Many interfaces when using VPN

Hello,

We have a problem with our VPN.

We are experiencing an issue that occurs once every month, where employees (it changes - skipping between users) using only Mac computers come to the office (but happens also in their home wifi) and are unable to access internet when they are connected to VPN.

We use:
Forticlient vpn only free - last version

IPSEC VPN

When they try to ping servers/addresses: sendto no buffer space available

When it happens I see many interfaces with addresses of VPN (192.168.11.0/24). 
After disabling interface with VPN: ifconfig interface utun4 down - internet works!


 

Another user told me: WIFI works, VPN works. He leaves the computer, computer goes to sleep mode and after that Forticlient seems as connected but no internet!

Another user reported: I was on the train, using HOTSPOT and Forticlient. 

Close the lid (So internet was disconnected). Went to the Office, I was connected to Office's WIFI and had this problem of buffering.

 

Why are there many interfaces instead of just one? Why does FortiClient create multiple connections?

#Same user#Same user#Same user#Same user#Same user#Same user#Another user#Another user


Thanks

Labels:
2218
0 Kudos
36 REPLIES 36
captainit
New Contributor II
In response to AEK

Created on ‎09-25-2024 04:20 AM Edited on ‎09-25-2024 04:24 AM

OK. I will take debug logs and update.
Thanks

481
0 Kudos
captainit
New Contributor II
In response to captainit

Created on ‎10-07-2024 08:57 AM

Didn't help. A new user with old version has this problem of multiple versions again - this is his connection:
2.10 is the last day when the user was connected via Forticlient2.10 is the last day when the user was connected via Forticlient

 

Yersterday 6.10 he had this problem - 192.168.11.0/24 is the segment of the Forticlient and he was also connected together to the WIFI - 192.168.0.0/24 - forticlient did not flush the old network configuration of VPN - he was not connected to Forticlient VPNYersterday 6.10 he had this problem - 192.168.11.0/24 is the segment of the Forticlient and he was also connected together to the WIFI - 192.168.0.0/24 - forticlient did not flush the old network configuration of VPN - he was not connected to Forticlient VPN

 

I don't know what to do :( It seems that Forticlient do not flush old connections sometimes.

Please help. Thanks

410
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎10-07-2024 10:03 AM

Anything relevant in FortiClient logs or in system event logs?

In FortiClient you can export the logs then try search around the time of the issue.

On MacOS I'm not sure but it should be in /var/log/system.log and with Console app (try to filter on network logs).

AEK
AEK
400
captainit
New Contributor II

Created on ‎10-07-2024 10:12 AM Edited on ‎10-07-2024 10:38 AM

Attaching file of the logs from Forticlient:
The problem appears yersterday (In my clock time it is around 08:45-09:15 AM)

Thanks

398
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎10-07-2024 01:37 PM

By the way there is a known issue on 7.4.0 and some 7.2.x versions. This bug looks the same as yours but it affects ZTNA instead of IPsec.

1012318

Endpoints cannot connect to ZTNA after sleep or lid is off/on.

 

AEK
AEK
355
captainit
New Contributor II

Created on ‎10-15-2024 05:47 AM

Hello,
I’m having trouble understanding an issue with the IPsec configuration in FortiClient VPN. We initially set the local ID in Phase 1 to a group using a full tunnel. Later, we changed it to a local ID with a split tunnel in the same client. However, after the computer wakes up from sleep mode, users seem to reconnect to the full tunnel. I can tell this because I’ve written a script that kills FortiClient if the public IP matches the office's public IP.
What can I do to resolve this issue?
Please help

295
0 Kudos
AEK
SuperUser
SuperUser
In response to captainit

Created on ‎10-15-2024 06:19 AM

Hi Captain

Can you share the routing table before and after wake up?

On the other hand did you manage to fix the initial issue?

AEK
AEK
286
captainit
New Contributor II

Created on ‎10-15-2024 06:48 AM

We have reinstalled Forticlient for this user so now it is working again.
I don't know what to do, really...........

I just know that for sure he received the public IP of the office because I have script that if the public IP of internet is the same IP of office - kill Forticlient and it does.

 

283
0 Kudos
captainit
New Contributor II

Created on ‎10-15-2024 08:16 AM

This is my configuration for my IPSEC VPN in Fortigate,

 

Can I do something that may solve it?pro.png

273
0 Kudos
AEK
SuperUser
SuperUser
In response to captainit

Created on ‎10-15-2024 12:40 PM

Your screenshot shows only a little part that can't help. But I guess you enabled IPv4 split tunnel, right?

However I don't think the issue is from FG side since your client connects first with split tunnel successfully. So I think the issue is from client side.

Can you share the client's routing table before and after wake up? You can hide the public IP addresses before sharing.

AEK
AEK
243
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.