Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CarmelKevin
New Contributor II

Created on ‎01-08-2021 02:53 PM

VPN connection works only over wifi, not wired

I'm running FortiClient to connect from home to my organization's VPN.  Everything works fine when my laptop is connected via wifi.  However, if I plug the ethernet cable (from the very same home network) into the laptop and connect FortiClient, I cannot connect to any of my organization's servers, even though the VPN connection succeeds and is reporting an active connection.

 

Any ideas?

45688
0 Kudos
3 Solutions
boneyard
Valued Contributor

Created on ‎01-08-2021 11:57 PM

first suspect is your home router / modem / ap / ... does it have different settings for the wireless compared to the wired part? or are they different devices all together?

 

it might be worth to call your ISP helpdesk (assuming they provide the equipment) on this.

View solution in original post

43047
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎01-09-2021 10:02 AM

First thing to suspect is the IP/subnet you get from wifi or LAN. Depending on how the FGT side is set up (NAT or no NAT) LAN subnet might conflict with server side. Since the tunnel comes up in both cases I would comare the routing table of your machine when the tunnel is up, then do some traceroutes toward the server to see how far it can get. At least it would tell you it's on local side or server side.

View solution in original post

43048
Yurisk
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎01-09-2021 11:50 PM

If in both cases you connect via the same local router to the Internet, the 1st option may be something goes wrong with rotuing table when connected over the wired network - to know, compare routing table of your PC when connected via wireless vs when connected via wired:

PC/WIndows: cmd -> route print

Linux/Mac: netstat -rn

 

The second option would be local firewall settings on your computer, if it is WIndows for example, you may be getting different WIndows FIrewall profiles/rules applied on different connections.

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.

View solution in original post

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
43048
7 REPLIES 7
boneyard
Valued Contributor

Created on ‎01-08-2021 11:57 PM

first suspect is your home router / modem / ap / ... does it have different settings for the wireless compared to the wired part? or are they different devices all together?

 

it might be worth to call your ISP helpdesk (assuming they provide the equipment) on this.

43048
0 Kudos
CarmelKevin
New Contributor II

Created on ‎01-09-2021 07:45 AM

So, I gave AT&T a call this morning and... wait for it... they were no help.  They ran many tests to let me know that my internet connection is up (of course it's up).

 

You do have an interesting thought the the router and the wireless access point are separate devices, so there must be some setting difference that I can find.  However, it 's odd that my VPN requests go from laptop -> access point -> router -> corporate VPN -> network servers, and this works fine.  But going from laptop -> router -> corporate VPN, it connects to VPN, but cannot see network servers. 

42991
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎01-09-2021 10:02 AM

First thing to suspect is the IP/subnet you get from wifi or LAN. Depending on how the FGT side is set up (NAT or no NAT) LAN subnet might conflict with server side. Since the tunnel comes up in both cases I would comare the routing table of your machine when the tunnel is up, then do some traceroutes toward the server to see how far it can get. At least it would tell you it's on local side or server side.

43049
Dwayne_A
New Contributor
In response to Toshi_Esumi

Created on ‎01-09-2021 07:35 PM

On the hardwire, Make sure that the adapter isn’t set as static and maybe has a different dns server that could be blocking it.

 

most wired/hardwire use the same IP subnet but wireless is always dhcp 

make sure the lan adapter is dhcp also. 

lastly I would remove the lan adapter, reboot and let it re-add back to the laptop 

that will remove all configuration and it should run like the wireless. 

let us know

 

42991
0 Kudos
Yurisk
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎01-09-2021 11:50 PM

If in both cases you connect via the same local router to the Internet, the 1st option may be something goes wrong with rotuing table when connected over the wired network - to know, compare routing table of your PC when connected via wireless vs when connected via wired:

PC/WIndows: cmd -> route print

Linux/Mac: netstat -rn

 

The second option would be local firewall settings on your computer, if it is WIndows for example, you may be getting different WIndows FIrewall profiles/rules applied on different connections.

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
43049
CarmelKevin
New Contributor II
In response to Yurisk

Created on ‎01-10-2021 05:47 PM

I have a resolution!  Thanks to each of you that replied and gave me clues of where to look!

 

After running some tracert and nslookup commands I found that while wired, I was not able to resolve DNS names, only IP addresses.  But when connected via wifi it was resolving DNS names.

 

With that info I found this link...

http://woshub.com/dns-resolution-via-vpn-not-working-windows/

 

It says that there's a priority order in which Windows will try to resolve DNS names.  Using PowerShell command: Get-NetIPInterface | Sort-Object Interfacemetric.  I found that my priority order (specified by the Interface Metric) was Ethernet, VPN, then Wifi.  This meant that when on Ethernet, it was trying to resolve DNS locally, which failed.  But when on wifi, the VPN had higher priority so it went out over VPN to resolve the DNS successfully.

 

To fix this, I modified the settings (Ethernet adapter > Properties > Internet Protocol Version 4 > Properties > Advanced) and changed from Automatic metric to a hard-coded value of 120.  This number is higher than the value that VPN is using (25).  So now the VPN has the lower number (higher priority) and is used first to resolve the DNS names.  I changed this setting as well for IP version 6.

 

Preview file
44 KB
42991
pachr
New Contributor
In response to CarmelKevin

Created on ‎08-29-2022 04:38 AM

In my case the above solution won't work.
My problem started after Lenovo Dock Ethernet Driver update. When I roll back the driver to 2019 instead 2022 version it works OK. It also works when I plug the Ethernet cable directly to my laptop or use WiFi or LTE. The problem is that Ethernet driver version dated March 2022 for lenovo Dock was issued for Windows 11 along with firmware update, using older driver, although working with forti sometimes drops the internet connection.
I run Windows 11.
I think that many users who report the issue stating that VPN works fine over WiFi may have some compatibility issues between FortiVPN and their Ethernet drivers.

pachr_0-1661772908407.png

Above is non-compatible driver. One needs

Below is compatible driver:

pachr_1-1661773035231.png

35772
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.