Our Fortigate is managed by our ISP (will be moving that in house in the coming months). I have a user that continuously has issues with connecting to the Forticlient IPSec VPN while at home. The error she gets is “VPN connection failed. Pleasecheck your configuration, network connection and pre-shared key then retry your connection.”
When she is in office, her laptop is able to connect to the VPN while connected to my mobile hotspot. When at home, it sometimes connects, but sometimes does not. When it doesn’t, it usually won’t for a week until it miraculously fixes itself and starts working.
Last time it happened, we seemed to have better luck with her being connected via the ethernet rather than through her home WiFi. Which almost makes me think it’s a WiFi driver issue – however that doesn’t explain why it works on my hotspot. Which then makes me think that it’s an issue with the firewall on her router – but it works sometimes, so that may not be the case.
Here is a list of all the T-shooting that I have performed. If anyone has experienced this and knows a way to resolve, I will be eternally grateful.
-Rebooted her laptop - several times
-Reconfigured the VPN connection in FortiClient
-Deleted and recreated the VPN connection in FortiClient
-Reinstalled Forticlient
-Moved from WiFi to Eth, that worked once. May be a workaround, but not a resolution.
-Updated from version 5.6.x.x to 7.0.12.0572. (This is the version our ISP provided to us)
Have you ran a simple ping to your external interface of your firewall from the users home internet connection? And run it for a while not just the standard 4 pings. If that isn’t stable at all (wired or wireless) then that needs to be fixed first, if it is stable wired but not wireless then the user needs to fix that by either moving the router to a better spot in relation to where they work. But if the ping is stable with good reply times both wired and wireless then the ISP should be involved to make sure no firewall settings on the modem are causing this issue.
IPv6 vs IPv4 sometimes causes some connections to not work stable. Disabling IPv6 on the network card via GPO mostly fixes it. The problem being intermittent isn’t explained by this behaviour
Ofcourse
Edit: oops, you said IPSec, not SSL. Same advice, I would start with the network quality at home.
SSL-VPN in general is really sensitive to packet loss and latency due to the continuous heartbeat/session required. Both of these are often exacerbated by WiFi in users homes.
If it works on your hotspot, it’s probably because you’re 4 feet from the computer with a great signal. How many walls are between this user and their router?
There are some things you can mess with in the VPN settings like setting it to reconnect without reauthentication, but there are also some obvious security risks that come with it.
We had an issue with forticlient + win11 + a Realtek nic driver that only showed up when a user connected via ethernet at home. No issues with WiFi at home.
Was very hard to track down. No resolution though, just told them to use WiFi until the driver gets fixed. It’s been months.
Had a user that had intermittent disconnects after any rain. After 2-3 dry days she would be fine. Intermittent packet loss when the ground was saturated in her neighborhood. Would get frustrated with us but it was always after rain.
You can have them keep a ping running to a good host like 8.8.8.8 to see if you have loss or latency when it occurs.
Hola buenos días , tengo el mismo problema al conectarme vía wifi con mi proveedor de servicio ISP Movistar . Lo anterior indistintamente si es en Linux y macOS o Windows . En cambio si utilizo mi celular como router móvil (es otro proveedor) no tengo problema en conectarme vía wifi a travez de los sistemas señalados , de igual forma logró conectividad a fortclient y vía cableado ethernet con el router Movistar. Por concluyó que Movistar está bloqueado en el WiFi el protocolo IPSec para accesos a VPN probablemente para impedir la visualización de streaming de canales en el extranjero . Con el antiguo router de Movistar (similar a un deco de Movistar) no tenía problema y me conectaba en teletrabajo en época de pandemia desde que en cambiaron al nuevo router smart wifi , no he logrado conectarme vía wifi
Buenas, estoy teniendo un problema para conectarme a una vpn mediante fortinet. Estoy desde un pc de empresa en la misma, conectado a un servidor mediante una ip privada, puede ser este el problema?
That does make some sense. But what boggles my mind is that it sometimes works on her home network, and other times does not.
Would it still be possible for her ISP to be blocking those ports and for it to occasionally work? I’d think that if the ISP was blocking the ports then it would not work at all, not just not work sometimes
is it possible the user has a double-NAT going on at home? I’ve encountered a similar situation with a user in the past. It didn’t matter if it was FortiClient, AnyConnect, or other IPSec software. It would work sometimes, but not others. We found that they had both their provider device doing NAT and then were going through a wifi router, as well. Removed the wifi router by plugging right into their cable modem and they had no issues after that. We got them a wireless access point for home instead of the router they were using and the issue didn’t come back.
But what boggles my mind is that it sometimes works on her home network, and other times does not.
Then it obviously doesn’t make sense. If the ISP blocked it, it would never work. It seems abundantly obvious that this is a crappy home WiFi issue. Just have the user use a cabled connection and be done with it. You cannot and should not be responsibly for debugging poor performance of users’ personal equipment.
While you’re at it, change your policies to make it clear that users are responsible for their own personal equipment, and if they can’t maintain a stable connection to required services (which definitely do work for everyone else) then they can’t work remotely.
Moved from WiFi to Eth, that worked once. May be a workaround, but not a resolution.
No, that has to be the resolution. That or she buys herself a new router or changes where she works from.