Fortigate: Disable Telemetry (Endpoint Security) for Client VPN Users

blah blah Solution 1 You can recreate the VPN and on Step 3, Unselect Allow Endpoint Registration Solution 2 Disable Endpoint Security Enable the feature first so the option will show up on the firewall. Under System -> Feature Select -> Security Features -> select Endpoint Control. Once Feature is enabled, Forticlient Profile will be … Continue reading Fortigate: Disable Telemetry (Endpoint Security) for Client VPN Users

Sonicwall GVC VPN: Unable to connect to VPN. Error: “Packet length mismatch with interface MTU”

I had a client who was unable to connect to the Sonicwall VPN via GVC (Global VPN Client). Packet capture showed initial inbound traffic to the Sonicwall from Client is being dropped. Logs as below: 50 03/30/2016 14:16:06.912 X4*(i) -- VPN.CLIENT.IP.HERE SONICWALL.WAN.IP.HERE IP UDP 500,500 DROPPED 60[60] 51 03/30/2016 14:16:06.912 X4*(i) -- VPN.CLIENT.IP.HERE SONICWALL.WAN.IP.HERE IP … Continue reading Sonicwall GVC VPN: Unable to connect to VPN. Error: “Packet length mismatch with interface MTU”

Sonicwall Global VPN Client: Sonicwall GVC unable to connect through certain ISPs

In some cases, Sonicwall GVC is unable to connect to select ISPs/Networks, where it is proven working elsewhere (3G Tethering or other ISPs). Usual troubleshooting and things to look at is if VPN IPSec Passthrough is enabled on the home modem or router. There is another troubleshooting step that is worth trying, which is to … Continue reading Sonicwall Global VPN Client: Sonicwall GVC unable to connect through certain ISPs

Fortigate: How to Source NAT traffic into a VPN Tunnel

Came across an issue on FortiOS 5.4 where a connection to remote peer via an IPSEC Tunnel suddenly stopped working. (My user told me it was working in the past atleast) Setup is the internal IP needs to be NAT'd to an IP that is known to the VPN peer. So for example, 10.5.0.5 (internal) … Continue reading Fortigate: How to Source NAT traffic into a VPN Tunnel

Tricks: How to debug a specific IPSec VPN Tunnel on Cisco.

Let’s say you’ve got a router with well over 100 IPSec VPN peers, and you’ve got this one tunnel that just won’t form correctly. Your not sure why and want nothing more than to debug the IPSec process for this one peer but you know if you debug the isakmp or ipsec process your going … Continue reading Tricks: How to debug a specific IPSec VPN Tunnel on Cisco.

Restarting VPN Tunnels on Cisco

In some rare cases, VPN Tunnels hang-up randomly and needs to be bounced or restarted to restart the VPN Tunnel negotiate that on some cases the easiest fix on VPN Down issues Check Phase 1 Status of the Tunnel: show crypto ipsec sa Normal/UP status should show: QM_IDLE (More info on Status here) Restarting VPN … Continue reading Restarting VPN Tunnels on Cisco

How to Clear IPSec VPN Remote Peer on Cisco IOS

The following command clears the crypto sessions for a remote IKE peer. You can use context sensitive help ?to find other options. This command will also reset encap/decap counters on the show crytpo ipsec sa peer <PEER_IP_ADDRESS>  output Syntax clear crypto session remote IP_ADDRESS Example: clear crypto session remote 1.1.1.1

Troubleshooting Cisco VPN Phase 1

Problem Site to Site VPN’s either work faultlessly straight away, or involve head scratching and a call to Cisco TAC, or someone like me to come and take a look. If I’m honest, the simplest and best answer to the problem is “Remove the Tunnel from both ends and put it back again”. Just about every VPN tunnel … Continue reading Troubleshooting Cisco VPN Phase 1

Useful Cisco Site-to-Site VPN Phase 1 and 2 Status Troubleshooting Commands

One way is to display it with the specific peer ip. Check Phase 1 Tunnel ASA#show crypto isakmp sa detail | b [peer IP add] Check Phase 2 Tunnel ASA#show crypto ipsec sa peer [peer IP add] Display the PSK ASA#more system:running-config | b tunnel-group [peer IP add] Display Uptime, etc. ASA#sh vpn-sessiondb detail l2l … Continue reading Useful Cisco Site-to-Site VPN Phase 1 and 2 Status Troubleshooting Commands

DNS resolution over IPsec/SSL VPN on Fortigate

Description This article provides basic troubleshooting to follow when you are not able to access hostname over IPSec VPN tunnel or SSLVPN connection Solution   If you are not able to access resources across VPN tunnel by hostname, check following steps: (1)  Make sure to set DNS server properly when configuring SSL or IPsec VPN.  … Continue reading DNS resolution over IPsec/SSL VPN on Fortigate