Problems with SSL VPN & remote IPSec after upgrading from 80D to 60F and SD WAN
we have quite big problems with SSL VPN and IPSec connections from remote users with Forticlient.
2 months ago customer moved to another office and we changed from FG80D (OS 6.0.10) with 2 x 300MB internet access to a new FG60F (OS 6.2.7) and 2 x 1GB MB access. Also we configured SD WAN on the new FG60D.
The customer had before up to 50 users using SSL VPN and IPSec against the old FG80D and disconnections were never a problem. They told me that maybe once a day a user got disconnected but after the change all users had big problems.
I opened a ticket and they told me to use preserve-route-enable on both WAN interfaces and it seemed that the problems were almost solved. After a while we got more and more complaints again from the users.
It is really hard to measure or check the problem, our technicians can connect for hours and hours and it works fine but when more than 20 users complain that they got disconnected like 5-10 times a day, than I guess we have a real problem.
Both internet accesses are from Telefonica and we checked them and they seem pretty OK, also we have a static VPN to another Fortigate and 1-4GB traffic a day and since day one, this VPN works fine.
They told me that SSL VPN has less disconnections but many times the Forticlient doesnt disconnect but users loose their RDP session and so they have to initiate again the Forticlient. IPSec gives much more problems and more disconnections. The IPSec is configured via WAN1 where we also have the VPN to the other firewall. The SSL VPN is over the WAN2 interface and we use SD WAN with volume based and 50-50. Both WAN interfaces never showed more traffic than 100MB and the FG60F is on 1-5% CPU and below 60% memory.
Today I opened new tickets and got as response that since they are not using EMS Forticlient with licencing they cant help me. First I didnt know and second I am pretty sure that it has nothing to do with the Forticlient, also they did supported me with other IPSec cases in the past.
If somebody has some ideas or issued the same problems and got real help or finding a solution...would be so great to hear from you. Thanks a lot!
I don't know if it's your case, what I noticed and it's very easy to simulate:
- If the internet connection is interrupted, even for a very short time, 1 second (it is not unusual to lose a few packets), the vpn connection is disconnected. But the biggest problem is that the free version of forticlient does not try to automatically re-establish the vpn link. You have to restore it manually, the result is that the rdp session also disconnects.
Same thing with android or ios. Here even when the phone or tablet switches from the wireless connection to LTE or vice versa, the vpn connection is interrupted. Which is very annoying.
well the thing is that this customer didnt have any problems with the old FG80D and 6.0.10....so I dont think that the Forticlient is the issue. I still think it is a bug un 6.2.7 and problems with SD WAN. Next week I will try to leave just one Internet Access.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.