Local Users unable to Connect

bobm · ‎12-03-2015

We're running a 90D with 5.0 FW. All users are local, and prompted to log in daily. In the past several months, various users are randomly unable to connect. When they open their browser (both IE and Firefox), instead of a prompt or even Cert Error, they just receive generic "can't connect to the website" errors from their browser. They can connect to White List sites, but going to any sites that are part of Web Filtering the traffic just gets blocked. I can connect to the FG GUI and even log in using my credentials, but no traffic passes through except to White List websites. Sometimes it resolves itself over a few minutes, sometimes a reboot of the PC helps, other times I have to assign a static IP that is configured to bypass the login altogether.

Has anyone come across this? Thanks

emnoc · ‎12-03-2015

You should use diag debug flow for 1st diagnostic and to ensure your hitting the policies that you think your hitting.

PCNSE

NSE

StrongSwan

ede_pfau · ‎12-04-2015

Please check that in case the Fortiguard servers are unavailable the Web Filter will pass "uncategorized" sites and not block them (which is the default). You find the checkbox for this in the WF setup.

IMHO you should also upgrade to v5.0.12 from any older version. This one is really stable. Upgrading will most probably not solve your issue but it might prevent other issues.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

bobm · ‎12-04-2015

I will try to schedule a FW update soon. We're on build 9 right now.

As far as other testing, the issue that confuses me is that it's not a universal problem. On any given day, out of about 40 users, 38 or 39 will be able to connect without a problem and be under all the correct policies. On those days, it's just one or two random users that have issues.

It's not that they are being blocked from certain sites, it's that the login prompt is not even being given to them in the first place. The error they are seeing is that they have no internet connection at all.

bobm · ‎01-18-2016

So I was finally able to get some debug flow data from a PC on my bench - I've attached the results as well as a screen shot of the policies we have in place.

bobm · ‎01-18-2016

Policies attached

rwpatterson · ‎01-18-2016

As an outside thought, check your DNS servers on the FGT. If you cannot resolve the Fortiguard servers reliably (or only sporadically), you may get some funky issues.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

bobm · ‎01-19-2016

Thanks. I've been using Google's DNS servers. And the strange thing is, it doesn't even get to the WAN port - the users aren't even getting the FGT login screen to get to the outside at all. Not sure what Policy 0 is - a default policy in the code? But that seems to be what's blocking it all.

bobm · ‎02-01-2016

OK, another odd thing I've noticed - it seems to trigger if someone is on before the login policy takes effect at 8:00 am and then leaves the machine idle for a while when the policy does kick in. It happened on my machine with a static IP this morning. I was called away a little before 8, and when I got back around 8:20 had no connection. Had to power down and wait a few minutes, and when I rebooted got back through the network.

While it was out I was able to ping the LAN port and connect to the web GUI, but pings and tracert to either of the WAN ports just timed out.