Home

Troubleshooting FortiClient VPN Disconnections: A Comprehensive Guide

.

FortiClient VPN disconnections are a prevalent issue affecting users across both IPsec and SSL VPNs, leading to disrupted workflows and frustration. Based on analysis of official Fortinet community guides, support forums, and user discussions, this article consolidates the root causes and proven solutions.

Understanding the Core Causes of VPN Dropouts

VPN sessions can drop due to problems on the client device, network infrastructure, or FortiGate firewall configuration. The triggers differ slightly between IPsec and SSL VPN protocols.

Common Causes for IPsec VPN Disconnections

  • Dead Peer Detection (DPD) Timeouts: The most frequent culprit. If the FortiGate and FortiClient do not exchange DPD "keep-alive" packets within the set interval, the tunnel is torn down.
  • MTU/MSS Size Issues: Large packets that exceed the Maximum Transmission Unit (MTU) of the path can fragment and get dropped, breaking the tunnel.
  • Aggressive Mode Handshake Failures: Misconfiguration in Phase 1 aggressive mode can cause instability.
  • Conflicting Routing Tables: Especially when both IPsec and SSL VPN clients are used simultaneously.
  • System Sleep/Hibernation: Windows power settings can disable network adapters, killing the VPN connection.

Common Causes for SSL VPN Disconnections

  • Session Timeout Settings: Idle and hard timeout values on the FortiGate may be too short.
  • TCP vs. UDP Protocol Use: The default TCP mode is more stable through proxies but can cause "TCP meltdown" on lossy networks. UDP (DTLS) is often more resilient.
  • Windows Network Location Awareness: Windows Firewall or other security software may interfere when it detects a "new network."
  • CPU/Memory Spikes: On the client machine can disrupt VPN processes.

Proven Solutions and Configuration Fixes

For IPsec VPN Dropouts

  1. Adjust Dead Peer Detection (DPD): On the FortiGate, increase the dpd-retryinterval and dpd-retrycount in the Phase 1 configuration. A common fix is setting retryinterval to 30-60 seconds and retrycount to 5-10.
    config vpn ipsec phase1-interface     edit "VPN_Tunnel_Name"         set dpd-retryinterval 60         set dpd-retrycount 10     next end
  2. Fix MTU Issues: On the FortiClient (IPsec), enable "Don't Fragment" flag in the advanced connection settings. Alternatively, reduce the interface MTU on the client OS or FortiGate.
  3. Disable Aggressive Mode: Use Main Mode (ID Protection) for Phase 1 negotiation unless absolutely necessary.
  4. Check for IP Address Conflicts: Ensure the client IP pool doesn't overlap with the client's local network.

For SSL VPN Dropouts

  1. Switch from TCP to UDP (DTLS): This is the single most effective fix for many users. In FortiClient, edit the connection: Remote Access -> Advanced -> Transport and select UDP (DTLS). Ensure DTLS is enabled on the FortiGate SSL-VPN port settings.
  2. Increase Timeout Values: On the FortiGate, under SSL-VPN Settings, increase the idle-timeout and auth-timeout values (e.g., to 28800 and 72 hours respectively).
  3. Disable Windows Firewall for Private Networks: For testing, or create an explicit rule allowing FortiClient processes (vpnagent.exe, forticlient.exe).
  4. Prevent Network Adapter Sleep: In Windows Power Options, edit plan settings -> Change advanced power settings -> Network adapter settings -> set to "Maximum Performance."

Universal Troubleshooting Steps

  • Update Everything: Ensure FortiClient, FortiGate OS, and network drivers (especially NIC/Wi-Fi) are updated to the latest stable version.
  • Disable IPv6: Temporarily disable IPv6 on the client's network adapter and within the FortiClient VPN connection settings.
  • Disable Conflicting Software: Temporarily disable third-party firewalls, antivirus, or "connection optimizer" features in other applications.
  • Clear Persistent Tunnels: In FortiClient, go to Settings -> Advanced and uncheck "Allow persistent tunnel on exit."
  • Use Split Tunneling Wisely: If enabled, ensure routes are correctly defined. For testing, try disabling it (send all traffic through VPN).

Proactive Prevention Best Practices

  • Standardize Timeouts: Align DPD (for IPsec) and session timeouts (for SSL-VPN) across client and server configurations.
  • Prefer UDP for SSL-VPN: Use DTLS (UDP) on networks where it's not blocked by firewalls.
  • Monitor FortiGate Resources: High CPU or memory on the FortiGate can drop tunnels. Optimize policies and hardware.
  • Document Client Network Environment: Issues are common on restrictive public Wi-Fi (airports, hotels) or behind double-NAT. A client-side FAQ can help users self-diagnose.

Frequently Asked Questions (FAQ)

Q: Why does my VPN disconnect exactly every 5 minutes (or another regular interval)? A: This is almost always a Dead Peer Detection (DPD) or session timeout issue. The firewall is terminating the tunnel due to a missed keep-alive. Adjust the dpd-retryinterval (IPsec) or auth-timeout (SSL-VPN) on the FortiGate.

Q: Should I use TCP or UDP for SSL-VPN? A: For most users, UDP (DTLS) provides a faster and more stable connection, as it handles packet loss better. Use TCP only if you are behind a restrictive firewall/proxy that blocks UDP ports.

Q: Can Windows Power Management cause disconnections? A: Yes. Windows can power down the network adapter to save energy, breaking the VPN. Disable this setting in Power Options and in the Device Manager properties for your network adapter.

Q: My VPN works but disconnects when idle. What can I do? A: Increase the idle-timeout setting in the FortiGate's SSL-VPN configuration. Also, check for any intermediate devices (corporate firewalls, ISPs) that may be killing idle sessions.

Q: What's the "Don't Fragment" flag, and should I enable it? A: This tells the system not to fragment packets for the VPN tunnel. Enabling it can resolve MTU issues but may cause connectivity problems if your path cannot handle the full packet size. It's a useful troubleshooting step for IPsec.

Q: I'm using Windows 10/11 and nothing works. Any last resort? A: Perform a clean install of the latest FortiClient from the official Fortinet support site, not the Microsoft Store version. Ensure you fully uninstall the old client first using the FortiClient removal tool. Also, verify that your Windows is fully updated.