Problem:
I am experiencing an issue with my VPN connection using FortiClient. The connection successfully establishes, but it disconnects after 25-30 seconds.
Symptoms:
- After clicking "Connect," the VPN connection is established successfully.
- Data traffic begins with approximately 35KB sent, but received traffic remains at 0KB.
- After 25-30 seconds, the connection drops with the message "SSL VPN Connection is down."
FortiClient Version:
- FortiClient VPN Only 7.4.0.1658
Logs:
- sslvpndaemon_1_error.log:
[2024-08-04 11:01:10.7069198 UTC+03:00] [12232:12956] [sslvpndaemon 540 error] CListener::_ReceiveMessage() Could not read from pipe(0x0000000000000544) client. Error=109
[2024-08-04 11:01:13.5362518 UTC+03:00] [12232:20528] [sslvpndaemon 569 error] CListener::_ReceiveMessage() ERROR_BROKEN_PIPE
[2024-08-04 11:01:13.5363023 UTC+03:00] [12232:20528] [sslvpndaemon 590 error] CListener::_ReceiveMessage() ERROR_BROKEN_PIPE
[2024-08-04 11:01:14.4208549 UTC+03:00] [12232:13988] [sslvpndaemon 569 error] CListener::_ReceiveMessage() ERROR_BROKEN_PIPE
[2024-08-04 11:01:14.4208880 UTC+03:00] [12232:13988] [sslvpndaemon 590 error] CListener::_ReceiveMessage() ERROR_BROKEN_PIPE
[2024-08-04 11:01:35.7225054 UTC+03:00] [12232:19416] [sslvpndaemon 510 error] error: WSAEnumNetworkEvents FD_CLOSE (10053)
[2024-08-04 11:01:40.2707891 UTC+03:00] [12232:6428] [sslvpndaemon 569 error] CListener::_ReceiveMessage() ERROR_BROKEN_PIPE
[2024-08-04 11:01:40.2708176 UTC+03:00] [12232:6428] [sslvpndaemon 590 error] CListener::_ReceiveMessage() ERROR_BROKEN_PIPE
- FortiVPN_1_error.log:
[2024-08-04 11:01:37.6109415 UTC+03:00] [22460:2404] [FortiVPN 2055 error] !!! fortivpn::StateMachine::HandleTunnelDisconnected session 1 (.\[сorrected_for_anonymization_purposes]) "[сorrected_for_anonymization_purposes]" disconnected unexpectedly!
Steps Taken to Troubleshoot:
Request for Assistance:
- Are there any additional steps I can take to diagnose or resolve this issue?
- Any suggestions for other potential causes or solutions would be greatly appreciated.
Thank you for your support.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can enable DTLS at the FortiGate for the VPN Connection and also try to update the Ethernet and the wifi adapter driver at the host computer.
Hi Salem,
Thank you for your suggestion. I have already tried enabling DTLS at the FortiGate for the VPN connection. Additionally, the Ethernet and WiFi adapter drivers on my host computer are already up-to-date with the latest versions.
This approach reveals very strange behavior:
---> During these two minutes, the "bytes sent" field reaches over 4000+MB.
This might be the reason. Please check what is being sent via VPN tunnel during this window and attach your machine routing table after connection is up.
Also can you share your windows version screenshot ?
Run command "winver"
Do you have this KB2693643 installed on your windows machine ? Check your installed windows updates.
Created on 08-04-2024 10:59 PM Edited on 08-05-2024 02:15 AM
Thank you for your follow-up.
Monitoring Traffic via VPN Tunnel:
I monitored the traffic using Wireshark. Here are the Protocol Hierarchy Statistics:
88.4% of the traffic consists of Application Data packets. Below is an example of one such packet:
Frame 66: 1084 bytes on wire (8672 bits), 1084 bytes captured (8672 bits) on interface \Device\NPF_{971D57FF-ECF0-48C5-B7FD-7401F6DF6275}, id 5
Section number: 1
Interface id: 5 (\Device\NPF_{971D57FF-ECF0-48C5-B7FD-7401F6DF6275})
Interface name: \Device\NPF_{971D57FF-ECF0-48C5-B7FD-7401F6DF6275}
Interface description: Ethernet 3
Encapsulation type: Ethernet (1)
Arrival Time: Aug 4, 2024 18:15:53.409386000 Jerusalem Summer Time
UTC Arrival Time: Aug 4, 2024 15:15:53.409386000 UTC
Epoch Arrival Time: 1722784553.409386000
[Time shift for this packet: 0.000000000 seconds]
[Time delta from previous captured frame: 0.000007000 seconds]
[Time delta from previous displayed frame: 0.000007000 seconds]
[Time since reference or first frame: 0.001060000 seconds]
Frame Number: 66
Frame Length: 1084 bytes (8672 bits)
Capture Length: 1084 bytes (8672 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:dtls]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Fortinet_aa:00:01 (00:09:0f:aa:00:01), Dst: Fortinet_aa:00:02 (00:09:0f:aa:00:02)
Destination: Fortinet_aa:00:02 (00:09:0f:aa:00:02)
Address: Fortinet_aa:00:02 (00:09:0f:aa:00:02)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Fortinet_aa:00:01 (00:09:0f:aa:00:01)
Address: Fortinet_aa:00:01 (00:09:0f:aa:00:01)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.2.0.51, Dst: [сorrected_for_anonymization_purposes_destination_IP]
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 1070
Identification: 0x1bb5 (7093)
000. .... = Flags: 0x0
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 128
Protocol: UDP (17)
Header Checksum: 0xb2f3 [validation disabled]
[Header checksum status: Unverified]
Source Address: 10.2.0.51
Destination Address: [сorrected_for_anonymization_purposes_destination_IP]
User Datagram Protocol, Src Port: 54113, Dst Port: 4433
Source Port: 54113
Destination Port: 4433
Length: 1050
Checksum: 0x677c [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
[Timestamps]
[Time since first frame: 0.001060000 seconds]
[Time since previous frame: 0.000007000 seconds]
UDP payload (1042 bytes)
Datagram Transport Layer Security
DTLSv1.2 Record Layer: Application Data Protocol: Application Data
Content Type: Application Data (23)
Version: DTLS 1.2 (0xfefd)
Epoch: 1
Sequence Number: 3245316
Length: 1029
Encrypted Application Data [truncated]: 3ab8698b4d3e128e5e2d3da4470dd6382a51327a3b3cfbdd8736361f2eeeaaff0abd5eb2566851953018108a16d2ed8e15f7b367b6c0829ac32fa277da8bdc50da042b1cb0becad6f27e7182115649417e5a41684b4cee3efac7185879e8e33aa7bed81
Routing Table After Connection is Up:
Here is the routing table after the connection is established:
===========================================================================
Interface List
9...xx xx xx 4f 17 f1 ......Killer E2600 Gigabit Ethernet Controller
15...yy yy yy f3 7a fb ......Microsoft Wi-Fi Direct Virtual Adapter
19...yy yy yy f3 7a fa ......Microsoft Wi-Fi Direct Virtual Adapter #2
7...yy yy yy f3 7a fa ......Killer(R) Wi-Fi 6 AX1650i 160MHz Wireless Network Adapter (201NGW)
10...00 09 0f fe 00 01 ......Fortinet Virtual Ethernet Adapter (NDIS 6.30)
20...4c 03 4f f3 7a fe ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
42...00 15 5d 82 2f 67 ......Hyper-V Virtual Ethernet Adapter
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.101 30
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
172.19.0.0 255.255.240.0 On-link 172.19.0.1 5256
172.19.0.1 255.255.255.255 On-link 172.19.0.1 5256
172.19.15.255 255.255.255.255 On-link 172.19.0.1 5256
192.168.1.0 255.255.255.0 On-link 192.168.1.101 286
192.168.1.101 255.255.255.255 On-link 192.168.1.101 286
192.168.1.255 255.255.255.255 On-link 192.168.1.101 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.1.101 286
224.0.0.0 240.0.0.0 On-link 172.19.0.1 5256
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.1.101 286
255.255.255.255 255.255.255.255 On-link 172.19.0.1 5256
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
42 5256 fe80::/64 On-link
42 5256 fe80::8bb8:3e8d:b207:c49a/128
On-link
1 331 ff00::/8 On-link
42 5256 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
Windows Version and Updates:
Here is a screenshot of my Windows version:
I checked my installed updates, and KB2693643 is not in the list of installed updates.
Hello @ArieSLV ,
There are multiple cases where FortiClient does not work with Windows 11. Check below Forum discussion for the same.
https://community.fortinet.com/t5/Support-Forum/FortiClient-VPN-Not-working-on-Windows-11/td-p/27321...
Try to disable IPv6 on your NICs.
Try with older FortiClient versions.
Best Regards,
salmas
Please check the following, when the issue occurs:
start cmd.exe as local admin
run "sc query ftsvnic" and check the output:
if the STATE is STOPPED, please run ncpa.cpl to open Network Connection window and check the status of 'Fortinet SSL VPN Virtual Ethernet'
if it shows 'Disabled' try to enable it and see if FCT reconnects
run "sc query ftsvnic" again to check the state of 'Fortinet SSL VPN Virtual Ethernet'
Created on 08-04-2024 07:29 AM Edited on 08-04-2024 07:31 AM
Hi kumarh,
Thank you for your suggestions. I have checked the following:
When the SSL-VPN connection is not established, the 'Fortinet SSL VPN Virtual Ethernet' status is 'Disabled'. Running sc.exe query ftsvnic returns:
...
STATE : 1 STOPPED
...
Manually enabling the virtual adapter does not lead to any automatic reconnection (if that is what you meant). However, when I click "Connect" in FortiClient, the connection is established, but the scenario remains the same – the connection drops after 25-30 seconds. After the connection drops, the virtual adapter 'Fortinet SSL VPN Virtual Ethernet' status reverts to 'Disabled'.
Any further insights or suggestions would be greatly appreciated.
Hi Salmas,
Thank you for your suggestions. I have already tried disabling IPv6 on my NICs, but unfortunately, it did not resolve the issue.
I am willing to try older versions of FortiClient, but I currently only have access to the installer from the official website, which always downloads the latest version. If you could provide direct links to download several older versions of FortiClient, I would be happy to conduct the experiment.
Thank you for your help.
Would it be possible for you to check the same from a different host using the same connection, I am just trying to rule out the issue with the internet connection itself.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.