Hi Everyone,
I have a strange issue.
So we use SSL VPN's and it seems that some users have this issue and some do not.
To Note:
The same computer is used (Windows OS)
The same WiFI is used (other Wifis have been tested with the same result)
The same login to the VPN (which is SAML based)
The same SSL VPN is used (others have been tested with also the same result)
Forticlient version 7.0.5 and 7.0.6 have been used
EMS is version 7.0.4
Fortigate is version 7.2.0
When the computer is logged in as a local user to the computer the SSL VPN works great. No issued.
When the computer is logged in as a domain user (whether its an admin or regular) there is severe latancy - so bad its unusable. I thought it might be group policy based but I cannot see anything which would cause this.
Any ideas?
#forticlient #SSLVPN #FortiGate
Hello SLG,
I have found this document which explains how to troubleshoot some issues:
Could you please telle me if it helps?
Regards,
Hi Anthony,
Thank you for your reply - I have looked through all the troubleshooting but it doesnt seem to be an issue with the tunnel itself as it works fine when I am logged in as a non domain user to the computer,
Thanks,
Sara
Hello,
We are still looking for an answer to your question.
We will come back to you as soon as we get it.
Regards,
Hi SLG,
Interesting issue. To recap. The difference is the end user logging in as local user or domain user, in both cases no connectivity is given towards the domain controller.
What exactly is slow?
- The logon process?
- The general VPN connection after login?
Doesn't sound like it, but any better with a LAN cable, instead of using wireless? With the description I would not think so, but well, wireless can be flaky.
GPO might really be something, it depends on the GPO is for some reason changing the FortiClients' configuration, for example, the domain user has DTLS enabled, the local user has it disabled (or simply the tunnel settings are different).
Best regards,
Markus
Created on 08-15-2022 07:23 AM Edited on 08-15-2022 07:28 AM
Hi Markus.
Thank you for your comment.
The only difference I have been able to track it down to is yes logging in as a local user compared to logging in as a domain user.
The local user has perfectly fine connection once the VPN is up
The domain user has severe latency - with speeds below the 1mbps once connected to the VPN (before connecting speeds are above 100mbps)
The logon process is fine - I do not rely on the vpn to logon.
It is the speed of connection to the internet once connected to the VPN- doesnt seem to matter what site whether it is an internal ip or a public facing one.
Connecting via ethernet doesnt make any difference.
Do you know any specific GPO's that can do this? As currently I am looking into this and its like trying to find a needle in a haystack.
Thanks.
Sara
Steps to fix SSL VPN Slow on Domain Login-
Verify the user's portal accessibility
Ensure that the SSL VPN service is selected for the >WAN interface under Administration > Device access.Verify the admin port settings
Ensure the SSL VPN users access the portal using the port configured under Administration > Admin and user settings > Admin console and end-user interaction.
Ports.PNG
Verify the certificate
Make sure that the proper certificate is associated with the SSL VPN user. Using the appliance certificate and regenerate the certificate if required is recommended. For more information, go to Sophos Firewall: Self-signed certificates are not supported.
Verify the logs from the GUI
Go to Log viewer and filter the Log comp to SSL VPN.
Filter.PNG
Verify the SSL VPN traffic flow from the console
Sign in to the command-line interface (CLI) and select 4: Device Console. Run the following command, which uses the default SSL VPN port 8443, to analyze the output.
tcpdump "port 8443"
tidy_fix_alt
Verify the logs from the advance shell
Sign in to the command-line interface (CLI) and select 5: Device Management, then 3: Advanced Shell, and run the following command:
tail -f /log/sslvpn.log
tidy_fix_alt
Verify the logs from SSL VPN Client
Right-click the SSL VPN Client on the taskbar of your computer and select View Log.
Verify the user has a proper SSL VPN remote access policy assigned
Go to Authentication > Users and confirm that the SSL VPN user has two or more simultaneous logins allowed under SSL VPN policy, in case the user is simultaneously logged in from a different device at the same time.
Simultaneous.PNG
Verify the SSL VPN authentication method
When receiving Auth-failure error messages in logs, verify the authentication method under Authentication > Services > SSL VPN authentication methods.
Greeting,
Rachel Gomez
Hi Rachel,
I log into the tunnel with the same user it is only the computer i login to with a different user.
Thanks,
Sara
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.