Hi everyone
Some of our user's FortiClient IPsec VPN connection (Windows 10 x64, FortiClient 6.0.9, FortiGate 6.0.9) drops numerous times a day. Some users have to reconnect more than 10 times a day. The connection simply drops while they are working, and for no apparent reason as applications such as Skype, Teams etc. remain online. Even if there was packet loss for a moment, it must have been very brief.
This does not affect all of of our users. For the majority of our users the FortiClient connection is pretty stable. In my experience, the quality of the Internet link makes a big difference. I have experienced frequent disconnects myself on my ADSL home Internet link whereas I don't experience any disconnects anymore now that I am on fibre. All workstations are set up using an image and are therefore identical in the way they are configured. So I don't think the problem lies there.
All users connect to the same IPsec dialup tunnel (ike=1, authentication=psk, mode=aggressive, lifetime=86400/43200, dpd-retrycount=3, dpd-retryinterval=15) and since this is not affecting everyone, I guess we can rule out an issue on the FortiGate too. This therefore points to the FortiClient itself.
Is anyone else experiencing this? Are there any recommendations to make the FortiClient more resilient in this regard? This issue has been bugging us for almost three years. We have started with FortiGate/FortiClient 5.4.x and upgrading to different versions (which is something Support always likes to suggest) has made zero difference. I have opened another ticket with Support a few weeks ago but there has not been any progress so far.
I would appreciate your input on this. Thank you.
Kind Regards
Stefan
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Any comments, suggestions etc. from anyone?
Thanks,
Stefan
I haven't run into this myself, but we only use FortiClient SSL VPN for a couple clients (on 6.0.9).
What do the FortiGates VPN logs look like for those disconnects? Since it sounds like the same users keep having issues, hopefully you can collect some useful logs on this. References:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD46611
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/340035/troubleshooting#The2
From what you're saying, it sounds like something about the ISP line is effecting it, so would be useful to collect data from the users with issues, like are they all PPPoE with smaller MTUs, have odd port-forwarding set up, doulbe-NAT, etc.
If you can get some sanitized logs and common network details of the users with problems hopefully TAC or someone here with more knowledge than me could point you in the right direction.
Thanks for your comments!
I have spent the last few weeks troubleshooting this issue with FortiGate Support and they have confirmed that it is not the FortiGate that is causing these issues. It seems the FortiClient is sending an "IPsec ISAKMP SA delete" to the FortiGate - which then terminates the connection. It does not make sense to me as our users are busy working and then suddenly the connection drops. Support was unable to determine why this keeps happening and they advised to get FortiClient support licenses so that FortiClient Support can investigate.
I do think that the ISP line does play a role here. Why else would users on a very stable (e.g. fibre) Internet link have no problem whatsoever and users who connect via e.g. mobile hotspot or ADSL lose connection so frequently. I don't know, it just does not make sense to me but I am also concerned that spending money on FortiClient EMS (which as far as I understand is required for FortiClient Support - and at this stage we wouldn't even be interested in all these additional features) is not going to lead to any solution either.
I have done further tests on my own notebook now. For testing purposes I briefly unplugged my network cable while I was connected via VPN. After a few seconds I plugged it back in. This only resulted in 3 dropped pings - which is nothing - yet my VPN connection disconnected. Is this normal?
ping 8.8.8.8 -t
Reply from 8.8.8.8: bytes=32 time=26ms TTL=57 Reply from 8.8.8.8: bytes=32 time=26ms TTL=57 Reply from 8.8.8.8: bytes=32 time=24ms TTL=57 Reply from 8.8.8.8: bytes=32 time=23ms TTL=57 ==> unplugged network cable
Request timed out. Request timed out. Request timed out. ==> VPN disconnected Reply from 8.8.8.8: bytes=32 time=42ms TTL=56 ==> plugged in network cable Reply from 8.8.8.8: bytes=32 time=29ms TTL=56 Reply from 8.8.8.8: bytes=32 time=24ms TTL=56 Reply from 8.8.8.8: bytes=32 time=22ms TTL=56 ...
Regards
Stefan
Is your Fortigate 61F? If yes, try disable IPSec Phase1 npu-offload function, like below:
# config vpn ipsec phase1-interface # edit <phase-1-name> # set npu-offload disable # end
No we don't use 61F. We tried disabling npu offload but this did not make a difference unfortunately.
I have done further tests and I can say without a doubt that FortiClient is the issue. I connected two notebooks at the same time, one with NCP Secure Entry, the other with FortiClient. Then I unplugged the Ethernet cable and waited a few seconds. FortiClient dropped the connection almost immediately whereas NCP stayed connected. In a second test I unplugged the cable for 60 seconds and even then NCP did not drop.
So that's disappointing. Seems like FortiClient is simply not reliable enough if there is some packet loss on the network.
I am having this issue in my organisation also. Frequent disconnects affecting vast majority of staff, despite consistent and good ping, zero packet loss and low jitter.
I tested the paid FortiClient version today. There is a setting called "always up" which solves these problems. I repeated the tests mentioned above and pulled the network cable for a minute or so. The VPN connection did not drop. So I guess they make one pay for a reliable solution.
Hello,
I am facing a similar issue. before changing my ISP (due to moving to a new apartment) IPSEC vpn & SSL VPN were working fine without any issue. just after I changed my ISP , IPSEC VPN disconnects every time almost after 10 seconds after being connected , SSL VPN is stable and working fine. so I am almost pretty sure that it is an ISP issue. Does anyone find a solution to this issue rather than purchasing the paid forticlient version ? Thank you in advance Best Regards
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1666 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.