Friday, November 17, 2017

FortiClient Trouble-Shooting IPSEC-vpn

The forticlient  logging  capability is great for major  diagnostics,  but some time you only need to following the window diagnostic output to guide you to a potential problem.

If you have a FortiClient  deployment and a few clients with problems , use the  feedback-windows or lack of.


1st up a bad Pre-Shard-Key



That should  need no explanation outside of  re-key your PSK


Next bad logins;



Here it's tricky

1: a bad  group-id
2: a bad username
3: or a bad password

Always validate the  users is  correct


Image result for TIP A group defined in the  client and  fortigate but the user is NOT part of that  group is also cause of bad login.



Let's say you have a   VPN- peer-id set and authserver group  and the actual vpn-user is not part of the group , the fortigate will provide the generic bad-login





 If you still have issues you might need to run fortigate cli diag debug cmds


e.g


diag debug enable
diag debug application ike -1





Image result for TIPUs the  diag vpn ike filter and on the client_address that's trying to connect in  a heavy used forticlient deployment


Lastly, if a client  tries to connect to a fortigate and have no pop-up windows this is a good indication of one or more of the following

1: client didn't reach the fortigate
2: client ike proposal where not matched and accepted
3: NAT or NAT-T issues
4: client had the wrong address  configued ( see #1 above )
5: or a combination of the above


 Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

No comments:

Post a Comment