Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
scheuri1
New Contributor II

sporadic issues with forticlient 7.4.3 and fortios 7.2.10 on ssl vpn (tcp/443)

Dear all

I need some insights from you who have more experience with forticlients than I do.

 

Our customer has a fortigate (7.2.10) with ssl vpn configured. Our customer offers ssl vpn connection to partners and suppliers of theirs.

 

A few days ago one of the suppliers mentioned, that their new user can't connect to the ssl vpn.
We figured out that they got the wrong password. Strangely, I wasn't able to see all the connection tries from said supplier. Only a few.

 

Yesterday, we had a call - supplier, our customer and us. They exchanged passwords again, supplier tried conneciton. It worked.
All logs on FAC and traffic logs on FGT were fine. Look marvellous.

 

A few hours later I got a call "it still doesn't work".
This time again - no logs in FAC and no traffic logs. We were able to do some live sessions and then I saw it.

We received SYN packets from the supplier from their expected public IP, but FGT didn't reply (no ACK).
The forticlient (7.4.3 - free, vpn only) in use from the supplier stopped at 40% and after about 15s or so timed out. There was no pop up with certificates or such.

As I only saw SYNs, I realised that this likely is the reason why I didn't see traffic logs from all the alleged connection tries from the supplier.

 

As it worked a few hours prior and now it doesn't I was stumped.

 

Thank you very much in advance

 

If it was a tls negotionation issue, then why does it happen intermittent? If it was a certificate pop up waiting for approval, then why isn't there one on the desktop and why does it time out after 15s or so?

 

Next step would be recommending to use the latest forticlient 7.2.x
And if that doesn't work, I sure need to debug the transaction (but since I never get an ACK, I didnt even try the first time).

 

Anyone an idea what I could check in particular to find out more?

3 REPLIES 3
fiesta
New Contributor III

Hi,

Have you tried diagnose debug application sslvpn? It usually give why the traffic in not processed in debug output.

Make sure port is not conflicted with https interface.

Ususally there are "notification" menu on forticlient, maybe there are some info can be found there.

 

Best regards.

FWD~

FWD~
FWD~
scheuri1
New Contributor II

Hello FWD~

 

Thank you for your reply.

 

I haven't tried to debug yet, as in the cases it doesn't work I only see SYN packets - so I figured it won't help much. However, I will try to do that at the next meeting.

 

The ssl vpn interface or configuration on the fortigate is being used by over a hundred other clients. So far I haven't any information about global issues.
Again, it does work - but not always...

 

I will have a better look at the forticlient at the next meeting

 

Thank you and much appreciated

sferoz
Staff
Staff

Hi scheuri1,

Is the issue happening to all users?
Can you confirm the FGT model and is there any remote auth is used (LDAP,Radius,Saml). Can you share the config,sslvpn debug,sniffer logs to sferoz@fortinet.com for more review

Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors