Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
browningit
New Contributor

Some Windows 10 machines can't connect when Restrict to Specific OS Versions enabled

Hey all, hopefully someone can shed some light on an issue for me before I roll out a feature to all my customers. I want to enable the Restrict to Specific OS Versions option, but as soon as I do, some machines even in my office can't connect to VPN after.  The short of it:

 

1) Enable the feature on the fortigate, apply it (note: haven't set ANY deny rules yet)

2) Test SSLVPN on laptop, works

3) Test SSLVPN on desktop, fails at 80%

4) Enable a few deny rules for the OS versions I don't want to connect, Laptop still works, desktop still broken

 

Troubleshooting steps, and longer details:

PC in my home, with forticlient, can connect to any of my FGT devices around the world without issue. Laptop in the same home, same credentials can connect to the same firewalls. Each machine is ON THE SAME PATCH LEVEL. If I enable the Restrict to Specific OS Versions enabled, without setting any deny rules, one of my machines (desktop) stops working and fails at 80% on VPN connection. Laptop is unchanged. For testing, on the trouble computer we have: 1) Rolled back updates 2) Applied this weeks outstanding update 3) run DISM 4) Run SFC 5) Patched the NIC driver 6) Rolled back to a previous OS BUILD 7) Via support on another ticket, removed the app, ran the cleanup tool, reinstalled, issue persisted. Issue remains the same. I'd like to tell you that reinstalling windows would fix this, but this OS install is from December, and has minimal items installed. I am testing with other machines in my office to recreate this elsewhere. If there is anything else I can do to point out issues / configurations that are broken, please advise.

 

Anyone experienced this or resolved it?  All machines in my example so far are the same W10 1909 version and patch level.

---------

Guessing my way to 127.0.0.1

--------- Guessing my way to 127.0.0.1
2 REPLIES 2
RonnyS_DD
New Contributor

Two weeks ago i've also tested this "Restrict to Specific OS Versions"-Feature with same strange errors.

I denied some IOS and <W7-OS entries.

 

Freshout of the box W10 1909 and my upgraded W10 2004 workstations cant connect to sslvpn, there where some users with W7 / W8 - laptops which also reported connectionproblems, they all stuck at 80%.

 

I finally disabled it and all connection came up without errors.

browningit

I have since resolved this after learning some new things through support.  These versions and answers are ROUGHLY the timeline, but enough to get you going on figuring out what happened with my scenario and yours, dear Internet.

 

1) Enabling this feature requires you to use Forticlient VPN ("free app") version 6.1 and older, 

2) Forticlient VPN ("free app") versions 6.2 and above dropped support, and create the error of failing at 80% with a -14

3) Installing the full version of Forticlient (EMS?) of any version 6.0.5 and above will allow the firewall feature to function and users to connect

4) This solution requires you to uninstall the Forticlient VPN ("free app") 6.2, reboot, install the full version of 6.0.5 and above, then it will connect if you are on a supported OS based on your selections.

 

While I am guilty of not reading EVERY changelog, this should be better highlighted from the support team and the download/installer.

 

Cheers, 

 

*edit for spelling

---------

Guessing my way to 127.0.0.1

--------- Guessing my way to 127.0.0.1
Labels
Top Kudoed Authors