Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Usidiq
New Contributor

My VPN connection keeps disconnecting from server.

Hello 

I am using Forticlient for VPN connection to our office server on MAC OS HIGH SEIRRA version 10.13.4.

After my connection to server VPN automatically disconnects every 13-15 seconds with error codes 104 and later 110 and then reconnects again. As such i am not able to work. I feel that i may not have configured VPN properly, as such following is the  configuration script as retrieved from Forticlient:-

 

<?xml version="1.0" encoding="UTF-8"?> <forticlient_configuration> <forticlient_version>5.6.1.0723</forticlient_version> <version>5.6</version> <date>2018-4-26</date> <os_version>MacOSX</os_version> <partial_configuration>0</partial_configuration> <system> <log_settings> <level>6</level> <max_log_size>10000000</max_log_size> <log_events>ipsecvpn,sslvpn,update</log_events> <remote_logging> <log_protocol>faz</log_protocol> <log_upload_enabled>0</log_upload_enabled> <log_upload_server></log_upload_server> <netlog_server></netlog_server> <log_upload_freq_hours>0</log_upload_freq_hours> <log_upload_freq_minutes>60</log_upload_freq_minutes> <log_upload_ssl_enabled>1</log_upload_ssl_enabled> <netlog_categories>7</netlog_categories> <log_retention_days>90</log_retention_days> </remote_logging> </log_settings> <proxy> <type>0</type> <address></address> <port>0</port> <username></username> <password>Enc 420d2ee65abded897a69c50f4995397969f1c1f949055d8e51</password> <update>0</update> </proxy> <update> <use_custom_server>0</use_custom_server> <server></server> <port></port> <failoverport></failoverport> <fail_over_to_fdn>1</fail_over_to_fdn> <update_action>notify_only</update_action> <scheduled_update> <enabled>1</enabled> <type>interval</type> <update_interval_in_hours>1</update_interval_in_hours> </scheduled_update> <minimum_fct_version> <mac_os></mac_os> </minimum_fct_version> </update> <ui> <password>Enc 420d2ee65abded897a69c50f49955d5cb40971588e2ea7fd9c4daeaab82a79ce37e08664a4bdce9d38b1eaef9d2313ec1d20e2eaccbf0b8a50</password> <default_tab>VPN</default_tab> <culture_code>os-default</culture_code> <ads>1</ads> <replacement_messages> <quarantine> <title><![CDATA[]]></title> <statement><![CDATA[]]></statement> <remediation><![CDATA[]]></remediation> </quarantine> </replacement_messages> <avatars> <enabled></enabled> <providers> <google> <clientid><![CDATA[]]></clientid> <clientsecret><![CDATA[]]></clientsecret> </google> <linkedin> <clientid><![CDATA[]]></clientid> <clientsecret><![CDATA[]]></clientsecret> <redirecturl><![CDATA[]]></redirecturl> </linkedin> <salesforce> <clientid><![CDATA[]]></clientid> <clientsecret><![CDATA[]]></clientsecret> <redirecturl><![CDATA[]]></redirecturl> </salesforce> </providers> </avatars> </ui> <certificates></certificates> <os_allowed></os_allowed> </system> <antivirus> <real_time_protection> <signatures_up_to_date></signatures_up_to_date> <fct_signatures> <av></av> </fct_signatures> </real_time_protection> </antivirus> <vpn> <options> <autoconnect_tunnel></autoconnect_tunnel> <autoconnect_only_when_offnet>0</autoconnect_only_when_offnet> <keep_running_max_tries>0</keep_running_max_tries> <allow_personal_vpns>1</allow_personal_vpns> <disable_connect_disconnect>0</disable_connect_disconnect> </options> <ipsecvpn> <options> <enabled>1</enabled> <block_ipv6>1</block_ipv6> </options> <connections> <connection> <name>ERP_VPN</name> <type>manual</type> <ike_settings> <prompt_certificate>0</prompt_certificate> <description></description> <server>vpn.powergrid.in</server> <authentication_method>Preshared Key</authentication_method> <auth_key>Enc 420d2ee65abded897a69c50f4995397969f1c1f949055d8e51</auth_key> <mode>aggressive</mode> <dhgroup>5</dhgroup> <key_life>86400</key_life> <localid>3</localid> <nat_traversal>1</nat_traversal> <mode_config>1</mode_config> <enable_local_lan>0</enable_local_lan> <dpd>0</dpd> <xauth> <enabled>1</enabled> <prompt_username>1</prompt_username> <username>Enc 420d2ee65abded897a69c50f4995397969f1c1f949055d8e51</username> <password>Enc 420d2ee65abded897a69c50f4995397969f1c1f949055d8e51</password> </xauth> <proposals> <proposal>AES128|SHA1</proposal> <proposal>AES256|SHA256</proposal> </proposals> <fgt>0</fgt> </ike_settings> <ipsec_settings> <remote_networks> <network> <addr>0.0.0.0</addr> <mask>0.0.0.0</mask> </network> <network> <addr>::</addr> <mask>0</mask> </network> <network> <addr>::</addr> <mask>0</mask> </network> </remote_networks> <dhgroup>5</dhgroup> <key_life_type>seconds</key_life_type> <key_life_seconds>43200</key_life_seconds> <pfs>1</pfs> <use_vip>1</use_vip> <virtualip> <type>modeconfig</type> <ip></ip> <mask></mask> <dnsserver></dnsserver> </virtualip> <proposals></proposals> </ipsec_settings> <on_connect> <script> <os>mac</os> <script></script> </script> </on_connect> <on_disconnect> <script> <os>mac</os> <script></script> </script> </on_disconnect> <keep_running>0</keep_running> <ui> <show_passcode>0</show_passcode> <show_remember_password>0</show_remember_password> <show_alwaysup>0</show_alwaysup> <show_autoconnect>0</show_autoconnect> </ui> </connection> </connections> </ipsecvpn> <sslvpn> <options> <enabled>1</enabled> </options> <connections></connections> </sslvpn> </vpn> <endpoint_control> <enable_enforcement></enable_enforcement> <enabled>1</enabled> <system_data>Enc 420d2ee65abded897a69c50f49955409e6327b0cdc27a6a8954bfdaaa32e58b339e2f71caab192ca67bceaed9c0757b71bf0fe0f499e761cad88dbe8bbeb84ae0cc83a775077c3dbd76adde59702f889be046283ae7f3db83607dd632dc6c32c172d4445421123f0f170f5c3998700ff916b447d73e1458362d1557f3224</system_data> <checksum></checksum> <custom_ping_server>:0</custom_ping_server> <log_last_upload_date></log_last_upload_date> <conf_recv_time>0</conf_recv_time> <fgt_logoff_on_fct_shutdown>0</fgt_logoff_on_fct_shutdown> <fortigates></fortigates> <ui> <display_antivirus>0</display_antivirus> <display_webfilter>0</display_webfilter> <display_firewall>0</display_firewall> <display_vpn>1</display_vpn> <display_vulnerability_scan>1</display_vulnerability_scan> <registration_dialog> <show_profile_details>1</show_profile_details> </registration_dialog> <hide_compliance_warning>0</hide_compliance_warning> </ui> <silent_registration>0</silent_registration> <disable_unregister>0</disable_unregister> <alerts> <notify_server>1</notify_server> <alert_threshold>1</alert_threshold> </alerts> <onnet_addresses></onnet_addresses> <onnet_mac_addresses></onnet_mac_addresses> <notification_server> <address>:0</address> <registration_password>Enc 420d2ee65abded897a69c50f4995397969f1c1f949055d8e51</registration_password> </notification_server> <show_bubble_notifications>1</show_bubble_notifications> <avatar_enabled>1</avatar_enabled> </endpoint_control> <vulnerability_scan> <enabled>1</enabled> <scan_on_fgt_registration>0</scan_on_fgt_registration> <scan_on_signature_update>1</scan_on_signature_update> <windows_update>1</windows_update> <scheduled_scans> <schedule> <repeat></repeat> <type></type> <day></day> <time></time> </schedule> </scheduled_scans> <lowest_level_enforced>critical</lowest_level_enforced> <days_allowed>1</days_allowed> <auto_patch> <level>critical</level> </auto_patch> <exempt_manual>0</exempt_manual> <exemptions> <exemption></exemption> </exemptions> <exempt_no_auto_patch>0</exempt_no_auto_patch> </vulnerability_scan> <fssoma> <enabled>0</enabled> <serveraddress>:8001</serveraddress> <presharedkey>Enc 420d2ee65abded897a69c50f4995397969f1c1f949055d8e51</presharedkey> </fssoma> </forticlient_configuration>

 

The configuration file of Forticlient which works properly on Windows OS is as follows:-

 

<?xml version="1.0" encoding="UTF-8" ?> <forticlient_configuration> <forticlient_version>5.6.1.1115</forticlient_version> <version>5.6.1</version> <date>2017/11/09</date> <partial_configuration>0</partial_configuration> <os_version>windows</os_version> <system> <ui> <disable_backup>0</disable_backup> <ads>1</ads> <flashing_system_tray_icon>1</flashing_system_tray_icon> <hide_system_tray_icon>0</hide_system_tray_icon> <suppress_admin_prompt>0</suppress_admin_prompt> <password /> <culture_code>os-default</culture_code> <gpu_rendering>0</gpu_rendering> <replacement_messages> <quarantine> <title> <title> <![CDATA[]]> </title> </title> <statement> <remediation> <![CDATA[]]> </remediation> </statement> <remediation> <remediation> <![CDATA[]]> </remediation> </remediation> </quarantine> </replacement_messages> </ui> <log_settings> <onnet_local_logging>1</onnet_local_logging> <level>6</level> <!--0=emergency, 1=alert, 2=critical, 3=error, 4=warning, 5=notice, 6=info, 7=debug, --> <log_events>ipsecvpn,sslvpn,scheduler,update,firewall,shield,endpoint,configd,vuln</log_events> <!--ipsecvpn=ipsec vpn, sslvpn=ssl vpn, firewall=firewall, av=antivirus, sandboxing=sandboxing, webfilter=webfilter, vuln=vulnerability scan, wanacc=wan acceleration, fssoma=single sign-on mobility for fortiauthenticator, scheduler=scheduler, update=update, proxy=fortiproxy, shield=fortishield, endpoint=endpoint control, configd=configuration, --> <remote_logging> <log_upload_enabled>0</log_upload_enabled> <log_upload_server /> <log_upload_ssl_enabled>1</log_upload_ssl_enabled> <log_retention_days>90</log_retention_days> <log_upload_freq_minutes>60</log_upload_freq_minutes> <log_generation_timeout_secs>900</log_generation_timeout_secs> <netlog_categories>7</netlog_categories> <log_protocol>faz</log_protocol> </remote_logging> </log_settings> <update> <use_custom_server>0</use_custom_server> <server /> <port>80</port> <timeout>60</timeout> <failoverport /> <fail_over_to_fdn>1</fail_over_to_fdn> <use_proxy_when_fail_over_to_fdn>1</use_proxy_when_fail_over_to_fdn> <auto_patch>0</auto_patch> <submit_virus_info_to_fds>1</submit_virus_info_to_fds> <submit_vuln_info_to_fds>1</submit_vuln_info_to_fds> <!-- update_action applies to software updates only and can be one of: notify_only, download_and_install, download_only, disable --> <update_action>notify_only</update_action> <scheduled_update> <enabled>1</enabled> <type>interval</type> <daily_at>01:44</daily_at> <update_interval_in_hours>1</update_interval_in_hours> </scheduled_update> </update> <certificates> <crl> <ocsp /> </crl> <hdd /> <ca /> </certificates> </system> <endpoint_control> <enabled>1</enabled> <!--Format: <probe_timeout:keep_alive_timeout> in seconds. Default: <1:5>. Note: changing connect timeouts might affect performance.--> <socket_connect_timeouts>1:5</socket_connect_timeouts> <system_data>Enc e0ea4e78412c790a9453bcb700769fc892e4fe8a34875cfde7e14b98ad58a8c087f4e7cadd37b932aca999c782715aabf9e7c239f794c3cd890575013850e27920c42820e47538c1ca5231c49c7ae59a</system_data> <disable_unregister>0</disable_unregister> <disable_fgt_switch>0</disable_fgt_switch> <show_bubble_notifications>1</show_bubble_notifications> <avatar_enabled>1</avatar_enabled> <ui> <display_antivirus>0</display_antivirus> <display_webfilter>0</display_webfilter> <display_firewall>0</display_firewall> <display_vpn>1</display_vpn> <display_vulnerability_scan>1</display_vulnerability_scan> <display_sandbox>0</display_sandbox> <display_compliance>1</display_compliance> <hide_compliance_warning>0</hide_compliance_warning> <registration_dialog> <show_profile_details>1</show_profile_details> </registration_dialog> </ui> <onnet_addresses> <address /> </onnet_addresses> <onnet_mac_addresses> <address /> </onnet_mac_addresses> <alerts> <notify_server>1</notify_server> <alert_threshold>1</alert_threshold> </alerts> <fortigates> <fortigate> <serial_number /> <name /> <registration_password /> <addresses /> </fortigate> </fortigates> <local_subnets_only>0</local_subnets_only> <notification_server /> <nac> <processes> <process id=""> <signature name="" /> </process> </processes> <files> <path id="" /> </files> <registry> <path id="" /> </registry> </nac> </endpoint_control> <vpn> <options> <autoconnect_tunnel /> <autoconnect_only_when_offnet>0</autoconnect_only_when_offnet> <keep_running_max_tries>0</keep_running_max_tries> <disable_internet_check>0</disable_internet_check> <save_password>0</save_password> <minimize_window_on_connect>1</minimize_window_on_connect> <allow_personal_vpns>1</allow_personal_vpns> <disable_connect_disconnect>0</disable_connect_disconnect> <show_vpn_before_logon>0</show_vpn_before_logon> <use_windows_credentials>1</use_windows_credentials> <use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon> <show_negotiation_wnd>0</show_negotiation_wnd> <vendor_id /> </options> <sslvpn> <options> <enabled>1</enabled> <prefer_sslvpn_dns>1</prefer_sslvpn_dns> <dnscache_service_control>0</dnscache_service_control> <!--0=disable dnscache service, 1=do not touch dnscache service, 2=restart dnscache service, 3=sc control dnscache paramchange--> <use_legacy_ssl_adapter>0</use_legacy_ssl_adapter> <preferred_dtls_tunnel>0</preferred_dtls_tunnel> <no_dhcp_server_route>0</no_dhcp_server_route> <no_dns_registration>0</no_dns_registration> <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate> </options> <connections /> </sslvpn> <ipsecvpn> <options> <enabled>1</enabled> <beep_if_error>0</beep_if_error> <usewincert>1</usewincert> <use_win_current_user_cert>1</use_win_current_user_cert> <use_win_local_computer_cert>1</use_win_local_computer_cert> <block_ipv6>1</block_ipv6> <uselocalcert>0</uselocalcert> <usesmcardcert>1</usesmcardcert> <enable_udp_checksum>0</enable_udp_checksum> <disable_default_route>0</disable_default_route> <show_auth_cert_only>0</show_auth_cert_only> <check_for_cert_private_key>0</check_for_cert_private_key> <enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory> </options> <connections> <connection> <name>ERP_VPN</name> <single_user_mode>0</single_user_mode> <!--when single_user_mode=1 the tunnel cannot be connected if more than one user is logged on the computer--> <type>manual</type> <ui> <show_passcode>0</show_passcode> <show_remember_password>0</show_remember_password> <show_alwaysup>0</show_alwaysup> <show_autoconnect>0</show_autoconnect> <save_username>0</save_username> </ui> <ike_settings> <implied_SPDO>0</implied_SPDO> <implied_SPDO_timeout>0</implied_SPDO_timeout> <prompt_certificate>0</prompt_certificate> <server>vpn.powergrid.in</server> <authentication_method>Preshared Key</authentication_method> <auth_data> <preshared_key>Enc 50501c014e18cf6740a93276539e5dca0e46171eb42a69af2291cb1dba258a96</preshared_key> </auth_data> <mode>aggressive</mode> <dhgroup>5;</dhgroup> <key_life>86400</key_life> <localid>3</localid> <peerid /> <nat_traversal>1</nat_traversal> <mode_config>1</mode_config> <enable_local_lan>0</enable_local_lan> <nat_alive_freq>5</nat_alive_freq> <dpd>0</dpd> <dpd_retry_count>3</dpd_retry_count> <dpd_retry_interval>5</dpd_retry_interval> <enable_ike_fragmentation>0</enable_ike_fragmentation> <xauth> <enabled>1</enabled> <prompt_username>1</prompt_username> <username>Enc 5c92945ce4123cadaa3c78d6b7f0a03e1b83d006b14ddbd0</username> <password /> </xauth> <proposals> <proposal>AES128|SHA1</proposal> <proposal>AES256|SHA256</proposal> </proposals> </ike_settings> <ipsec_settings> <remote_networks> <network> <addr>0.0.0.0</addr> <mask>0.0.0.0</mask> </network> <network> <addr>::/0</addr> <mask>::/0</mask> </network> </remote_networks> <dhgroup>5</dhgroup> <key_life_type>seconds</key_life_type> <key_life_seconds>43200</key_life_seconds> <key_life_Kbytes>5120</key_life_Kbytes> <replay_detection>1</replay_detection> <pfs>1</pfs> <use_vip>1</use_vip> <virtualip> <type>modeconfig</type> <ip>0.0.0.0</ip> <mask>0.0.0.0</mask> <dnsserver>0.0.0.0</dnsserver> <winserver>0.0.0.0</winserver> </virtualip> <proposals> <proposal>AES128|SHA1</proposal> <proposal>AES256|SHA1</proposal> </proposals> </ipsec_settings> <on_connect> <script> <os>windows</os> <script> <!--Write MS DOS batch script inside the CDATA tag below.--> <!--One line per command, just like a regular batch script file.--> <!--The script will be executed in the context of the user that connected the tunnel.--> <!--Wherever you write #username# in your script, it will be automatically substituted with the xauth username of the user that connected the tunnel.--> <!--Wherever you write #password# in your script, it will be automatically substituted with the xauth password of the user that connected the tunnel.--> <!--Remember to check your xml file before deploying to ensure that carriage returns/line feeds are present.--> <![CDATA[]]> </script> </script> </on_connect> <on_disconnect> <script> <os>windows</os> <script> <!--Write MS DOS batch script inside the CDATA tag below.--> <!--One line per command, just like a regular batch script file.--> <!--The script will be executed in the context of the user that connected the tunnel.--> <!--Wherever you write #username# in your script, it will be automatically substituted with the xauth username of the user that connected the tunnel.--> <!--Wherever you write #password# in your script, it will be automatically substituted with the xauth password of the user that connected the tunnel.--> <!--Remember to check your xml file before deploying to ensure that carriage returns/line feeds are present.--> <![CDATA[]]> </script> </script> </on_disconnect> </connection> </connections> </ipsecvpn> </vpn> <vulnerability_scan> <enabled>1</enabled> <scan_on_registration>0</scan_on_registration> <scan_on_signature_update>1</scan_on_signature_update> <windows_update>1</windows_update> <auto_patch></auto_patch> <scheduled_scans></scheduled_scans> </vulnerability_scan> </forticlient_configuration>

 

If someone can help i will be very thankful i have tried everything and failed.

6 REPLIES 6
SteveG
Contributor III

Do you manage the FortiClients using EMS?

 

You could also try using the native IPSec VPN client on the Mac as it's supports Fortigates.

Joakim_Nordin
New Contributor

I have the same problem after upgrading FortiClient from 5.4.3 to 5.6.6 using SSL VPN.

Works on 5.4.3, doesn't work on 5.6.6. And it's the FortiClient who disconnects the user ungracefully. After 5 minutes (which is my idle timeout setting on the FW) plus about 12-ish seconds, which is the time the client manages to stay connected to the VPN, I get an idle timeout in my firewall log. Tried uninstalling and then reinstalling the 5.6.6 MSI, but with same results.

Strangely, if I use the FortiClientSetup_5.6.6.1167.exe version, it seems to work though. Not sure why this is the case. The simple solution would be to distribute the .exe of course, but the guy who handles our SCCM for file distribution wants to use the MSI version.

 

Anyway, still searching for an answer to what the actual problem is.

Nenad

Hi guys.

 

I have experienced this problem with Dell laptop on Win10. It is on the notorious Intel 3165 wireless adapted (which I have updated to the latest version).

On FortiClient 6.0.2 it stays connected for approx. 25 sec. and then drops.

I have installed FortiClient 5.4.1 (which I currently use) and the connection drops after 2-2:30 min.

I am not able to ping the destination hosts, while on any other computer it works.

(We are using SSLVPN)

 

Client computer is on a home network, no restrictions with regards to Internet access.

Windows firewall on or off doesnt make a difference.

 

I am stuck.

Any suggestions please?

 

Thanks.

SteveG
Contributor III

Do you experience the same drops using a wired connection?

Nenad
New Contributor

Hi Steve.

 

I will check that and advise.

Thanks

StasMa
New Contributor

When making a callout to web service that is connected through a VPN, it may throw System.CalloutException. ResolutionTo make a call out to web service that is connected through a VPN you need to expose an IP/Port to the public internet. We cannot set up a direct VPN tunnel from SFDC.  You will have to use IP Whitelisting and Client Certificate, to secure the connection. The port is whatever they want incase a port needs to be opened. it doesn't need to be port 443 . You could put it on a non-standard port if they want to obfuscate it more. It's just a public endpoint that is secured with IP Whitelisting and client cert from customer's end. Below are the links for more details :  Your service has to be accessible from the public Internet, because you can't access VPN from salesforce. That said, there are many ways to secure your services from unintentional or malicious outside transactions.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors