Access to the internet has been restricted in China since the 1990s, as the Communist government has sought ways to limit not only its citizens’ consumption of news and information but also their interaction with those outside of China. FortiClient, the Fortinet next-generation endpoint protection, provides users with secure remote access with a built-in VPN.
However, as both individuals and businesses seek access to information and the ability to conduct transactions with people outside of China, virtual private networks (VPNs) to circumvent these restrictions have become a necessary tool.
Accessing a VPN from China
Since China made it illegal to access the “foreign internet” without government permission in 1997, the use of VPNs as a workaround has proliferated. VPNs encrypt data, masking the user’s identity and activity while browsing the internet. VPNs hide a computer’s Internet Protocol (IP) address, its physical location, and browsing history, among other data.
It is not just individual Chinese citizens or visitors to China who benefit from VPNs to access social networks and banned websites. Chinese corporations and multinational companies doing business with China also use VPNs to secure company data and make communications more private.
Browsing the internet anonymously is not the only advantage of using a VPN. The security and privacy of VPN-encrypted connections should be the main reason users opt for VPNs when browsing the internet in China.
Using Fortinet in China
China has also been known to target VPN companies, but luckily, it does not block the Fortinet FortiClient VPN. FortiClient is more than just a VPN. It also provides compliance and endpoint protection, which are needed for large organizations to enforce policies and track and report security issues. FortiClient also provides advanced threat protection against malware through its integration with FortiGuard.
This endpoint protection offered by the Fortinet VPN safeguards users against the most advanced threats. While some internet users in China only want a way to access U.S.-based websites and social networks without government surveillance, malware in China is a growing problem. In fact, malware associated with the Chinese government has been identified as the driver of spear-phishing attacks.
What Is VPN Troubleshooting?
Issues may arise when using a VPN to connect to the internet. Usually, the biggest issue is that the VPN simply cannot connect. Other times, the connection drops, or the connection is really slow.
In the next section, we will detail what you can do when you encounter particular issues.
How to Troubleshoot Some SSL VPN Issues
These troubleshooting tips can be used for the following versions of FortiGate: v5.4, v5.6, v6.0, v6.2, and v6.4.
There Is No response from the SSL VPN Uniform Resource Locator (URL)
Navigate to VPN >> SSL-VPN Settings and check the secure socket layer (SSL) VPN port assignment. Also, check the “Restrict Access” settings to ensure that the host you are connecting from is allowed.
Go to Policy >> IPv6 policy and make sure that the policy for SSL VPN traffic is configured correctly. Check the URL to connect to. It should follow this pattern:
Ensure that the correct port number in the URL is used.
Use a computer on the local network to connect to the VPN, rather than a computer using a remote connection.
If external authentication is used, create a local user and connect to the VPN using the newly created local account.
FortiClient Cannot Connect
Ensure that the version of FortiClient used is compatible with the user’s version of FortiOS.
Export FortiClient debug logs by doing the following:
- Go to File >> Settings. Under the logging section, enable “Export logs.”
- Set the “Log Level” to debug and select “Clear logs.”
- Attempt to connect to the VPN.
- Select Export logs after receiving the connection error.
The SSL VPN Login Hangs or Disconnects at 98%
A new SSL VPN driver was added to FortiClient 5.6.0 and later versions to resolve various SSL VPN connection issues. If the FortiOS version is compatible, upgrade to use one of these versions.
In addition, poor network connectivity can cause the FortiGate default login timeout limit to be reached. In FortiOS 5.6.0 and later, the following commands allow a user to increase timers related to the SSL VPN login.
# config vpn ssl settings set login-timeout 180 (default is 30) set dtls-hello-timeout 60 (default is 10) End
Tunnel-mode Connection Shuts Down After a Few Seconds
This issue can occur when there are multiple interfaces connected to the internet—for example, a software-defined wide-area network (SD-WAN). To fix this, allow multiple interfaces to connect without issue.
If FortiOS 6.0.1 or later is used, follow this command-line interface (CLI) command:
# config system interface edit <name> set preserve-session-route enable next end
For FortiOS 6.0.0 or earlier, use this CLI command:
# config vpn ssl settings set route-source-interface enable end
The following error message will be received: “Unable to logon to the server. Your user name or password may not be configured properly for this connection. (-12).”
Make sure that the browser has cookies enabled.
If a remote authentication server is used, confirm that FortiGate is able to communicate with it.
The Tunnel Connects, but There Is No Communication
Make sure there is a visual interface or a screen you can view, by going to Monitor >> Routing Monitor.
Also, check the routing table—the data stored in a router that lists the routes to particular network destinations—on the user’s computer to ensure that the routes for the VPN are added (use the command route print on Windows, or netstat -nr on macOS).
Connects Remotely to the VPN Tunnel, but It Will Not Give Access to the Network Resources
Verify that the firewall policy for SSL VPN traffic is configured correctly by going to Policy & Objects >> IPv4 Policy and making sure that the source/destination addresses, user group, and destination interfaces are correct.
Use the command “# diagnose debug flow” to obtain more information about the network traffic. To learn more about this command, see How to use debug flow to filter traffic.
Users Are Unable to Download the SSL VPN Plugin
Go to VPN >> SSL-VPN Portals to make sure that the option to limit users to one SSL-VPN connection at a time is disabled. This allows users to connect to the resources on the portal page while also connecting to the VPN through FortiClient.
Users Are Being Assigned to the Wrong IP Range
Go to VPN >> SSL-VPN Portals and VPN >> SSL-VPN Settings and make sure that the same IP pool is used in both the VPN Portal and VPN Settings sections to avoid conflicts.
If there is a conflict, the portal settings are used.
SSL VPN Throughput Is Slow
Although many factors can contribute to slow throughput, one recommendation is to try the FortiOS datagram transport layer security (DTLS) tunnel option, available in FortiOS 5.4 and above.
DTLS allows the SSL VPN to encrypt traffic using transport layer security (TLS) and uses User Datagram Protocol (UDP) at the transport layer instead of Transmission Control Protocol (TCP). This avoids retransmission problems that can occur with TCP-in-TCP.
To make sure the DTLS tunnel is enabled on the FortiGate solution, use the following command:
# config vpn ssl settings set dtls-tunnel enable end
FortiClient 5.4.0 to 5.4.3 use DTLS by default. FortiClient 5.4.4 and later use normal TLS, regardless of the FortiGate DTLS setting. To use DTLS with FortiClient, go to File >> Settings and enable “Preferred DTLS Tunnel.