I have a client that is having their FortiClient( 7.2.2.0864 ) freeze up at 98% and have seen a lot of guess and check options that havent worked yet. They have diabled IPv6 on their network adapter as a possible fix but the error they receive “FortiSslvpn: 10344: error: WSAEnumNetworkEvents FD_CLOSE (10053)” appears to point to a windows issue.
I saw a different thread that said they fixed their 98% issue by whitelisting/adding the FortiClient URLs to the trusted sites in their windows internet security tab.
The client only has this issue when trying to access their VPN over the T-Mobile network, all other ISPs connect to their VPN with no issues.
Any thoughts? Any insight or direction would be appreciated.
Update
TMobiles FIRE team applied PC Web IPv4 only configuration file to the iPhone and went into the inseego hotspot and added a custom APN and set the connection type for IPv4 only and everything works now. We first tried an account level feature to force IPv4 but that didnt work and we were still getting IPv6 addresses.
I haven’t seen the issue first hand, but I know T-mobile + “VPN issue” has a ton of results on reddit and other forums. Seems like t-mobile’s NAT64 setup causes problems with VPN clients
We had a similar issue, it’s likely IPv6 related. Are you using a DNS name to connect or a IP address? Try using an IP address as the hostname as this will force IPv4. If this works you have a couple of options. Let me know.
i had this exact problem… and fixed it … you need to create a new APN profile windows11 under settings > cellular tab once you use the fast.t-mobile.com apn you must change ipTYPE to IPv4 only … boom that worked and i was able to connect to vpn
Have you tried decreasing the MTU? I was having all sorts of crazy wireguard issues recently where it was working fine on my laptop, fine on my phone but failed to pass data in odd ways if I tethered the laptop through the phone and ran the VPN on the laptop. PMTU discovery seemed to be failing for some reason, lowering it manually just on this profile made it all work fine.
Might be entirely unrelated, but should be easy to test.
Had an issue like this, and had to disable ipv6 in registry, not just via adapter. That resolved one users problem connecting FortiClient to a TMobile hotspot.
Is this a mobile hotspot on a phone, or is the user using T-Mobile Home internet?
I have not had any issues with phone hotspots, however T-Mobile Home internet is using CG-NAT over IPV6, and I have not been able to get any of our Fortigate VPNs to work on it, either SSL or IPSEC. in fact, the only VPN I have successfully tested on T-Mobile Home Internet is Windows Native L2TP VPN…
So far we have been advising users they cannot use T-Mobile Home Internet for VPN and they need to get a different ISP if they do have it.
Edit: one possible solution that has been proposed that we have not tried yet, is to configure the VPN endpoint on an IPV6 IP, and connect to that so the connection is entirely IPV6. We havent had any customers interested in spending money to set that up and test it yet, so I cannot confirm if it works.
I troubleshot a similar issue with one of our users who switched to T-Mobile home internet about 6 months back. Her symptoms were she could connect to the VPN but it wouldn’t send any traffic over it, except maybe a ping.
After a conference call with the user and T-Mobile, they told me that their data network in general does not allow VPN traffic because it consumes too much bandwidth. Might be a possible case here?
Hit or miss for us, tethered to a phone works one day stuck at 98% the next, same with hotspots and even the 5g home Internet. Never consistent enough to get anywhere with TAC
The normal APN in the T-Mobile Network uses CG NAT ober ipv6, which stops Forticlient vpn from working. Which country are you in? For Germany, the APN “internet.telekom” works.
T-Mobile only gives cell phones IPv6 connectivity, so a mobile hotspot is giving out a RFC1918 address, NAT46-ing it to T-Mobile, who does NAT64 before sending it out the wider internet.
It breaks FortiClient pretty spectacularly. I haven’t tried other SSL VPN clients (AnyConnect, for example), but I imagine they will break in similar ways.
I have the exact same issue with at my current org and have a ticket opened with support for it. I have replicated on three different devices, three different computers, and both personal and business cell plans. I need to send Fortinet support some debug logs tomorrow and they’ll get back to me. No issue on Verizon or ATT networks. They tried telling me to add a AAAA record to our dns, but we don’t have any ipv6 addressing so it makes no sense to me.
I’ll try and remember to post here if I get a solution.
Maybe I missed something and someone said it already - but my suggestions:
Reinstall the FortClient to what it supposed to be according to your companies policy (as you apparently have made several changes). Just to make sure you have all the configs on “default” like all other clients
Try again and then use a different Internet Service Provider (without changing the FortiClient)
If the usual troubleshooting doesn’t work (and in cases like this where the ISP has a reputation to be an issue) we really tell the home office clients to try and test on other locations (coffee shop, neighbour) where the ISP is another one than home…hopefully.