Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
captainit
New Contributor II

Many interfaces when using VPN

Hello,

We have a problem with our VPN.

We are experiencing an issue that occurs once every month, where employees (it changes - skipping between users) using only Mac computers come to the office (but happens also in their home wifi) and are unable to access internet when they are connected to VPN.

We use:
Forticlient vpn only free - last version

IPSEC VPN

When they try to ping servers/addresses: sendto no buffer space available

When it happens I see many interfaces with addresses of VPN (192.168.11.0/24). 
After disabling interface with VPN: ifconfig interface utun4 down - internet works!


 

Another user told me: WIFI works, VPN works. He leaves the computer, computer goes to sleep mode and after that Forticlient seems as connected but no internet!

Another user reported: I was on the train, using HOTSPOT and Forticlient. 

Close the lid (So internet was disconnected). Went to the Office, I was connected to Office's WIFI and had this problem of buffering.

 

Why are there many interfaces instead of just one? Why does FortiClient create multiple connections?

#Same user#Same user#Same user#Same user#Same user#Same user#Another user#Another user


Thanks

36 REPLIES 36
AEK
SuperUser
SuperUser

Hi Captain

Here we can see IPv6 default gateways are being injected.

Internet6:
Destination Gateway Flags Netif Expire
default fe80::%utun0 UGcIg utun0
default fe80::%utun1 UGcIg utun1
default fe80::%utun2 UGcIg utun2
default fe80::%utun3 UGcIg utun3
default fe80::%utun4 UGcIg utun4
default fe80::%utun5 UGcIg utun5

 

In case you are not using IPv6, can you just try disable it on your MacOS and try again?

Or check on FG side if IPv6 split tunnel is disable, then enable it.

Or just disable IPv6 on FG's IPsec config.

You can also remove the IPv6 default gateway through to confirm this is the actual root cause.

Again the idea is to avoid having default gateway through tunnel in your routing table.

AEK
AEK
captainit
New Contributor II

Hello,
Attaching the configuration of IPv6 in my IPSEC (from Fortigate)
Screenshot 2024-10-30 122430.png

 

Should I disable something?
Could you please kindly explain why it might create a problem

Thanks

AEK
SuperUser
SuperUser

On the IPsec config I see IPv6 is disabled on FG. That's strange because it seems something else is pushing IPv6 default gateway on the client.

Next step is, when the issue occurs, delete the IPv6 gateways on the client that are through the VPN tunnels, and see if it fixes the issue.

AEK
AEK
captainit
New Contributor II

A command that already tested and fix the problem is:
ps aux | grep -i 'forti' | grep -v 'grep' | awk '{print $2}' | xargs sudo kill -9

Kill all the processes of Forticlient
But if I asked users to do it, they would hate me because they just want the problem solved.

AEK

As you may know some issues need long troubleshooting, and it can take long time especially when there is no direct interaction with the machine.

In this case I don't have immediate solution. For this I hope some more experienced member can help better.

AEK
AEK
TRS-STAR

Works for me. Thank you very much for this solution.

captainit
New Contributor II

Hello,

Same issue... not solved.

 

Attaching log from Forticlient from mac computer with multiple interfaces:

 

Hello,
I see in my logs of Forticlient (I use ipsec)=
message_handler:469 send pfkey errno: 1

https://pastebin.com/0vtnQXQA

Any idea please? 

 

User has full permissions

screenshot_2024-11-24_at_17.40.13.png

We tried: Reinstall other old Forticlient versions 

 

Thanks

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors