Hi Salem,

Thank you for your suggestion. I have already tried enabling DTLS at the FortiGate for the VPN connection. Additionally, the Ethernet and WiFi adapter drivers on my host computer are already up-to-date with the latest versions.

This approach reveals very strange behavior:

• The connection establishes, and there is a significant traffic flow.
• After two minutes, the connection drops again.
• During these two minutes, the "bytes sent" field reaches over 4000+MB.
• Additionally, it seems there is a significant CPU activity, as my laptop's cooling system becomes very active.
• Furthermore, during these two minutes, if I try to access internal network resources (which I am trying to reach using the VPN), these resources are unreachable.

---> During these two minutes, the "bytes sent" field reaches over 4000+MB.

This might be the reason. Please check what is being sent via VPN tunnel during this window and attach your machine routing table after connection is up.

Also can you share your windows version screenshot ?
Run command "winver"

Do you have this KB2693643 installed on your windows machine ? Check your installed windows updates.

Thank you for your follow-up.

1. Monitoring Traffic via VPN Tunnel:

   I monitored the traffic using Wireshark. Here are the Protocol Hierarchy Statistics:
   

    

   88.4% of the traffic consists of Application Data packets. Below is an example of one such packet:

    

Frame 66: 1084 bytes on wire (8672 bits), 1084 bytes captured (8672 bits) on interface \Device\NPF_{971D57FF-ECF0-48C5-B7FD-7401F6DF6275}, id 5
    Section number: 1
    Interface id: 5 (\Device\NPF_{971D57FF-ECF0-48C5-B7FD-7401F6DF6275})
        Interface name: \Device\NPF_{971D57FF-ECF0-48C5-B7FD-7401F6DF6275}
        Interface description: Ethernet 3
    Encapsulation type: Ethernet (1)
    Arrival Time: Aug  4, 2024 18:15:53.409386000 Jerusalem Summer Time
    UTC Arrival Time: Aug  4, 2024 15:15:53.409386000 UTC
    Epoch Arrival Time: 1722784553.409386000
    [Time shift for this packet: 0.000000000 seconds]
    [Time delta from previous captured frame: 0.000007000 seconds]
    [Time delta from previous displayed frame: 0.000007000 seconds]
    [Time since reference or first frame: 0.001060000 seconds]
    Frame Number: 66
    Frame Length: 1084 bytes (8672 bits)
    Capture Length: 1084 bytes (8672 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:dtls]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: Fortinet_aa:00:01 (00:09:0f:aa:00:01), Dst: Fortinet_aa:00:02 (00:09:0f:aa:00:02)
    Destination: Fortinet_aa:00:02 (00:09:0f:aa:00:02)
        Address: Fortinet_aa:00:02 (00:09:0f:aa:00:02)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Fortinet_aa:00:01 (00:09:0f:aa:00:01)
        Address: Fortinet_aa:00:01 (00:09:0f:aa:00:01)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.2.0.51, Dst: [сorrected_for_anonymization_purposes_destination_IP]
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 1070
    Identification: 0x1bb5 (7093)
    000. .... = Flags: 0x0
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 128
    Protocol: UDP (17)
    Header Checksum: 0xb2f3 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 10.2.0.51
    Destination Address: [сorrected_for_anonymization_purposes_destination_IP]
User Datagram Protocol, Src Port: 54113, Dst Port: 4433
    Source Port: 54113
    Destination Port: 4433
    Length: 1050
    Checksum: 0x677c [unverified]
    [Checksum Status: Unverified]
    [Stream index: 0]
    [Timestamps]
        [Time since first frame: 0.001060000 seconds]
        [Time since previous frame: 0.000007000 seconds]
    UDP payload (1042 bytes)
Datagram Transport Layer Security
    DTLSv1.2 Record Layer: Application Data Protocol: Application Data
        Content Type: Application Data (23)
        Version: DTLS 1.2 (0xfefd)
        Epoch: 1
        Sequence Number: 3245316
        Length: 1029
        Encrypted Application Data [truncated]: 3ab8698b4d3e128e5e2d3da4470dd6382a51327a3b3cfbdd8736361f2eeeaaff0abd5eb2566851953018108a16d2ed8e15f7b367b6c0829ac32fa277da8bdc50da042b1cb0becad6f27e7182115649417e5a41684b4cee3efac7185879e8e33aa7bed81

• Routing Table After Connection is Up:

  Here is the routing table after the connection is established:

===========================================================================
Interface List
  9...xx xx xx 4f 17 f1 ......Killer E2600 Gigabit Ethernet Controller
 15...yy yy yy f3 7a fb ......Microsoft Wi-Fi Direct Virtual Adapter
 19...yy yy yy f3 7a fa ......Microsoft Wi-Fi Direct Virtual Adapter #2
  7...yy yy yy f3 7a fa ......Killer(R) Wi-Fi 6 AX1650i 160MHz Wireless Network Adapter (201NGW)
 10...00 09 0f fe 00 01 ......Fortinet Virtual Ethernet Adapter (NDIS 6.30)
 20...4c 03 4f f3 7a fe ......Bluetooth Device (Personal Area Network)
  1...........................Software Loopback Interface 1
 42...00 15 5d 82 2f 67 ......Hyper-V Virtual Ethernet Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.101     30
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
       172.19.0.0    255.255.240.0         On-link        172.19.0.1   5256
       172.19.0.1  255.255.255.255         On-link        172.19.0.1   5256
    172.19.15.255  255.255.255.255         On-link        172.19.0.1   5256
      192.168.1.0    255.255.255.0         On-link     192.168.1.101    286
    192.168.1.101  255.255.255.255         On-link     192.168.1.101    286
    192.168.1.255  255.255.255.255         On-link     192.168.1.101    286
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.1.101    286
        224.0.0.0        240.0.0.0         On-link        172.19.0.1   5256
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.1.101    286
  255.255.255.255  255.255.255.255         On-link        172.19.0.1   5256
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
 42   5256 fe80::/64                On-link
 42   5256 fe80::8bb8:3e8d:b207:c49a/128
                                    On-link
  1    331 ff00::/8                 On-link
 42   5256 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None​

• Windows Version and Updates:

  Here is a screenshot of my Windows version:

  

   

  I checked my installed updates, and KB2693643 is not in the list of installed updates.

Please check the following, when the issue occurs:

start cmd.exe as local admin
run "sc query ftsvnic" and check the output:

if the STATE is STOPPED, please run ncpa.cpl to open Network Connection window and check the status of 'Fortinet SSL VPN Virtual Ethernet'
if it shows 'Disabled' try to enable it and see if FCT reconnects
run "sc query ftsvnic" again to check the state of 'Fortinet SSL VPN Virtual Ethernet'

Hi kumarh,

Thank you for your suggestions. I have checked the following:

When the SSL-VPN connection is not established, the 'Fortinet SSL VPN Virtual Ethernet' status is 'Disabled'. Running sc.exe query ftsvnic returns:

...
STATE              : 1  STOPPED
...

Manually enabling the virtual adapter does not lead to any automatic reconnection (if that is what you meant). However, when I click "Connect" in FortiClient, the connection is established, but the scenario remains the same – the connection drops after 25-30 seconds. After the connection drops, the virtual adapter 'Fortinet SSL VPN Virtual Ethernet' status reverts to 'Disabled'.

Any further insights or suggestions would be greatly appreciated.

Hi Salmas,

Thank you for your suggestions. I have already tried disabling IPv6 on my NICs, but unfortunately, it did not resolve the issue.

I am willing to try older versions of FortiClient, but I currently only have access to the installer from the official website, which always downloads the latest version. If you could provide direct links to download several older versions of FortiClient, I would be happy to conduct the experiment.

Thank you for your help.

Would it be possible for you to check the same from a different host using the same connection, I am just trying to rule out the issue with the internet connection itself.