Strange excessive log polling behavior of FortiClient and FortiTray
While troubleshooting a FortiClient VPN issue, in Sysinternals Process Monitor I noticed that the client components are generating hundreds of events per second, continuously polling FortiTray_1.log, guimessenger_1.log and sslvpndaemon_1.log trace files in the user's AppData. No data is written, they're just opened, queried and closed. This happens even on a fresh unconfigured 7.0.6 install. It is just a minor nuisance and easy to filter oyt, but it might be indicative of some sort of internal application issue because for me it is very rare to encounter software with this kind of behavior. I figured I'd mention it here for it to maybe get noticed.
Additionally, I've seen that sslvpndaemon_1.log will log "[sslvpndaemon 515 debug] FortiSslvpn: CSslvpnBase::RefreshConnection() Called." every 2 seconds once it's started, and will keep doing it even after the vpn is disconnected. None of the log-related items in the xml config or in the windows registry seem to have an effect. It is unusual to see debug-level verbosity being used in production like that. The other two files are written less frequently.
I have checked an earlier 6.5 install and saw that none of these files were being logged, the appdata trace dir was empty. That also means that none of the abovementioned polling was happening.
Well that's the thing - it seems these components totally ignore all logging settings and just do their own thing. I have set log level to Emergency in the UI. I have set it to 0 in the xml config. I have flipped every log-related setting in the config to disabled. I went into the HKLM registry, went through all the components and set logging to 0 and loglevel to 0. There's also the 'fctlog' node, but it only has 'flags' and max log size. None of these had any visible effect, the trace logs were still being produced the same way.
Didn't work for me aswell. Even if i diable the logging in "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\FA_SSLVPN" it keeps logging into FortiTray_1.log. It seems like something else is creating these logs.. any ideas?
By any chance, is the FCT installer a special build provided by Fortinet TAC to enable excessive logging for troubleshooting previously? FYI, the official GA build number for FCT 7.0.6 is 0290, FCT 7.0.7 is 0345. You can view it in FCT > About tab.
I have checked internally but not able to find any similar reported behavior. If it is already an official GA build FCT, you may raise a FortiCare ticket to us to troubleshoot further.
All of the 40 Users/Machines are affected. We did a clean installation with FortiClientVPNOnlineInstaller last week. Apparently the size of appdata\roaming\forticlient folder began to increase after a few days. I double-checked the installation and reinstalled the FTC again via https://links.fortinet.com/forticlient/win/vpnagent , got the same issue.
I just checked the version on all machines --> 7.0.6.0290 , so actually the latest GA build you mentioned...
I did a rollback on my machine on version 7.0.3.0193 and tested this version. No problem so far. None of these files (fortitray_1.log, etc.) were being logged. Same experience OP had on this forum with V6.5. So it has to be something wrong with the latest version that comes through the online installer.
This article provides the solution when the error 'unable to establish the VPN connection. The VPN server may be unreachable (-20199)' is obtained in FortiClient trying to connect to the SSL-VPN. 1) Run the Wan miniport repair tool (or version 2). 2) Restart the computer and test VPN access again.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.