Troubleshooting FortClient VPN Connectivity Issues with FortiGate

As more and more users are using remote access VPNs and probably using FortiClient, I wanted to share the errors you are encountering based on the percentage when it fails and some troubleshooting steps around Remote Access VPNs.

Percentage and Possible Issue

- 10% – Local Network/PC issue
- 40% – Application or the Fortigate causing the error, occasionally caused by the local machines/network setup
- 45% – MultiFactor Authentication
- 80% – Username/Password issue
- 98% – corruption of services/often resolved by reinstalling the client on the laptop.

Here are some troubleshooting commands for the SSL VPNs on the FortiGate.  You can run them from the GUI Console screen or by using your favorite terminal application (e.g. SecureCRT, PuTTY, ZOC, etc.)

di deb reset
di deb app sslvpn -1 
di deb en

Set the terminal to capture the output to a file.  This will be useful to provide to TAC if needed.

diag deb reset
diag deb console time en
diag deb app fnbamd -1
diag deb en

The commands above will troubleshoot authentication on the FortiGate

Gathering FortiClient Logs

You will want to:

1. Clear the logs if you have any there.
2. Set the Log Level to Debug to ensure the highest verbosity. (Make sure to disabled after troubleshooting)
3. Run the attempt, and then Export logs

These can be uploaded to TAC.

Viewing Performance Settings on FortiGate GUI

You can log into the FortiGate and under the Dashboard, set the time rage filter to 24 Hours for Memory, CPU and even Sessions

On the command line, you can use the following methods and commands

Viewing Performance Settings on FortiGate CLI

diagnose sys top

Once the TOP screen is displayed, you can use the letters below to filter the output differently.

U is % of user space applications using CPU. In the example, 0U means 0% of the user space applications are using CPU.
S is % of system processes (or kernel processes) using CPU. In the example, 0S means 0% of the system processes are using the CPU.
I is % of idle CPU. In the example, 98I means the CPU is 98% idle.
T is the total FortiOS system memory in Mb. In the example, 123T means there are 123 Mb of system memory.
F is free memory in Mb. In the example, 25F means there is 25 Mb of free memory.
KF is the total shared memory pages used. In the example, 32KF means the system is using 32 shared memory pages.

Finally, you may need to trace connections and/or do some packet captures here are two examples of that.

Pinging and Source Pinging

Sometimes you want to perform a straight ping to test connectivity from the firewall to a remote access VPN device.  You can do that with the standard exec ping %host% however sometimes, you may want to source the ping from the inside interface or dmz interface.  Below are the commands.

execute ping-options ? 
execute ping-options source <ip-address-of-the-interface> 
execute ping <hostname|ip>

Flow Trace

Now I will show a flow trace from my computer to 4.2.2.2

diagnose debug reset 
diagnose debug flow filter saddr 10.22.22.122 
diagnose debug flow filter daddr 10.100.1.1 
diagnose debug flow show function-name enable
diagnose debug enable 
diagnose debug flow trace start 100  #display the next 100 packets, after that, disable the flow: 

When complete, you can disable manually with

diagnose debug disable

In the output, it will show you what interface the connection came in on, because of the function-name enable you will see NAT, Routing, etc, IPS, offloading to NPU and SPUs, etc.

Sessions

You can also see the sessions using the following commands

diagnose sys session filter clear
diagnose sys session filter dst 4.2.2.2
diagnose sys session filter dport 53
diagnose sys session list           #show the session table with the filter just set

Use the filter that work for you from a source or destination as well as ports

With this filter, you can clear the sessions based on the filter you created by issuing the diagnose sys session clear NOTE: Without the filter in place, you will clear ALL sessions on the FortiGate.  It is always a good habit to run diag sys session filter ? to list the filter you have configured.

Packet Capture

You can either use the GUI or the CLI to run packet captures.

diagnose sniffer packet any 'host 8.8.8.8' 4 4 l 
diagnose sniffer packet any 'host 8.8.8.8 and dst port 53' 4 10 a 
diagnose sniffer packet wan1 'dst port (80 or 443)' 2 50 l 

The verbosity is controlled by the following:

verbose:
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
count: number of packets
time-format:
a: UTC time
l: local time

You can use the GUI by going to Network then Packet Capture then Create .  You will then be able to choose the interface you want to capture on and optionally you can enable the filters, and choose as needed.  This will give you the opportunity to download the PCAP file and launch it with Wireshark, which you SHOULD have on your computer

Hope this helps