Helpful ReplyHot!Microsoft Teams and VPN IPsec dialup

Author
Storyteller
Bronze Member
  • Total Posts : 23
  • Scores: 2
  • Reward points: 0
  • Joined: 2014/11/24 05:15:42
  • Status: offline
2020/02/27 03:57:01 (permalink)
5 (1)

Microsoft Teams and VPN IPsec dialup

We have a VPN IPsec setted by wizard to use by forticlient.
It seems that split-tunnel is disabled. If I connect and then go to internet I navigate by company ISP (tested by whatismyip). 
The VPN works like a charm but we cannot make call by MS Teams. The chat works but non video/audio call. I found that there are some problem with Teams. I would know if I can exclude the Teams connection from the tunnel using ipv4-split-include/ipv4-split-exclude settings or if there is any workaround.
 
[Update 20-03-02]
Using a VPN Native windows without split tunnel Teams works, calls included. The problem is Forticlient.
 
[Update 20-03-11]
Using Forticlient on MAC it works, only windows does not work.
 
[Update 20-03-12]
Group calls works. P2P calls no. There's a bug in the recent version of FC. Use version 6.0.0.0067 to solve the issue. It works.
 
Regards,
Graziano.
 
post edited by Storyteller - 2020/03/12 09:34:29
#1
kevinj@leadingresponse.com
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/31 11:32:12
  • Status: offline
Re: Microsoft Teams and VPN IPsec dialup 2020/03/12 09:00:26 (permalink)
0
I am experiencing the same issue with Teams running through a full tunnel with Windows.  The calls will not connect.  If I disconnect the FortiClient VPN the calls function properly.  Did you ever find an answer to this issue?
#2
Storyteller
Bronze Member
  • Total Posts : 23
  • Scores: 2
  • Reward points: 0
  • Joined: 2014/11/24 05:15:42
  • Status: offline
Re: Microsoft Teams and VPN IPsec dialup 2020/03/12 09:32:08 (permalink)
0
Kevin,
there's a bug in recent version of Forticlient for W10, using MacOS the issue disappear.
You can workaround the issue using FC version 6.0.0.0067.
I've tested today with success and I'm doing a massive downgrade.
 
Regards,
Graziano.
 
#3
martinsrus
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/03/13 13:26:47
  • Status: offline
Re: Microsoft Teams and VPN IPsec dialup 2020/03/13 13:29:21 (permalink)
0
Same issue... Where can FC version 6.0.0.0067 be downloaded from?
#4
tarnend
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/03/19 04:37:19
  • Status: offline
Re: Microsoft Teams and VPN IPsec dialup 2020/03/19 04:49:49 (permalink)
0
Hi, what firmware version are you running on your fortigate? we have a 1000c and are on 5.6.10 buiuld1677 (GA) and that is the highest version we can go up to.
 
I have tested multiple versions and the error first appears in version 6.0.3.0155 as when using version 6.0.2.0128 it works, we are going to log a support call with forti regarding this major issue.
#5
kevinj@leadingresponse.com
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/31 11:32:12
  • Status: offline
Re: Microsoft Teams and VPN IPsec dialup 2020/03/20 11:52:25 (permalink)
0
Hi tarnend.  I'd love to know what FG Support recommends.  A downgrade for us is not possible at this time.  I am not sure if we can get around it by using a split tunnel.  I was going to test that when we hit a maintenance window.  Or switch everyone to a Windows Native setup which in testing allows Teams calls to go through.
#6
RyanF
New Member
  • Total Posts : 2
  • Scores: 2
  • Reward points: 0
  • Joined: 2017/01/25 18:08:57
  • Status: offline
Re: Microsoft Teams and VPN IPsec dialup 2020/03/27 14:18:13 (permalink)
5 (1)
We are having this problem as well.
 
What works.
  1. Teams meeting by using the New Teams meeting in Outlook.
  2. Clicking Meet Now in the Teams app in any Teams channel
  3. When users are NOT connected to VPN,  in a 2 person chat, clicking Video Call or Audio Call will create a call.
What does not work.
  1. When users ARE connected to VPN,  in a 2 person chat, clicking Video Call or Audio Call will signal a call to the other user, but cannot be answered
Here is an interesting work around.
In a 2 person chat (connected over VPN), you can click "Screen Sharing" first.
Once it connects, the user can then connect audio and/or video successfully. (and optionally stop screen sharing)
#7
mark.withington
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/03/30 03:40:27
  • Status: offline
Re: Microsoft Teams and VPN IPsec dialup 2020/03/30 03:42:48 (permalink)
0
Anyone any update on this? I have logged this with Fortinet support but not having any luck with them.
#8
Eiler Jorgensen
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/02/07 02:58:27
  • Status: offline
Re: Microsoft Teams and VPN IPsec dialup 2020/04/02 08:50:31 (permalink)
0
Hi  -  I have the same problem with IPsec VPN. When I use SSL VPN instead it works 
#9
3d1l
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/10/02 18:24:58
  • Status: offline
Re: Microsoft Teams and VPN IPsec dialup 2020/04/02 09:00:00 (permalink) ☄ Helpfulby Gate10 2020/04/09 12:27:21
0
I had to open a case with Microsoft support for this issue and the official response is that Teams does not work with VPN unless you enable the split tunnel option, and even with split tunel we have some users that have problems with the VPN active. This is the official article but the microsoft support technitian told me that without split tunnel Teams is not going to work.
 
https://docs.microsoft.com/en-us/microsoftteams/upgrade-prepare-environment-prepare-network
 
VPN
VPNs provide a valuable service to many organizations. Unfortunately, they're typically not designed or configured to support real-time media. Some VPNs might also not support UDP. VPNs also introduce an extra layer of encryption on top of media traffic that's already encrypted. In addition, connectivity to the Teams service might not be efficient due to hair-pinning traffic through a VPN device. Furthermore, they aren't necessarily designed from a capacity perspective to accommodate the anticipated loads that Teams will require.
The recommendation is to provide an alternate path that bypasses the VPN for Teams traffic. This is commonly known as split-tunnel VPN. Split tunneling means that traffic for Office 365 won't traverse the VPN but will go directly to Office 365. This change will have a positive impact on quality, but also provides the secondary benefit of reducing load from the VPN devices and the organization's network.
To implement a split-tunnel, consult with your VPN vendor for the configuration details.
0 Links
post edited by 3d1l - 2020/04/02 09:05:03
#10
donpinpon
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/03/14 11:15:31
  • Status: offline
Re: Microsoft Teams and VPN IPsec dialup 2020/04/07 07:46:10 (permalink)
0
Workaround sharing desktop first works because in that case you are creating a meeting though microsoft public servers as those server are acting as gateway traffic doesn't go directly between vpn users and forticlient is bypassed.
 
Any news about fortinet support?
#11
Greg
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/04/08 01:15:25
  • Status: offline
Re: Microsoft Teams and VPN IPsec dialup 2020/04/08 01:59:50 (permalink)
0
The same issue.
Test results:
FGT200D v6.0.9 b0335 (default IPS, AV, WF) - IPSec VPN + FTC 6.0.9.0277: Skype - failed, Teams - failed
FGT200D v6.0.9 b0335 (IPS only) - IPSec VPN + FTC 6.0.9.0277: Skype - failed, Teams - failed
FGT200D v6.0.9 b0335 (default IPS, AV, WF) - IPSec VPN + Native VPN Win10: Skype - ok, Teams - ok
FGT200D v6.0.9 b0335 (IPS only) - IPSec VPN + Native VPN Win10: Skype - ok, Teams - ok
FGT200D v6.0.9 b0335 (default IPS, AV, WF) - IPSec VPN + FTC EMS 6.2.6 b0910: Skype - failed, Teams - failed
FGT200D v6.0.9 b0335 (IPS only) - IPSec VPN + FTC EMS 6.2.6 b0910: Skype - failed, Teams - failed
FGT200D v6.0.9 b0335 (default IPS, AV, WF) - IPSec VPN + FTC VPN 6.2.x: Skype - failed, Teams - failed
FGT200D v6.0.9 b0335 (IPS only) - IPSec VPN + FTC VPN 6.2.x: Skype - failed, Teams - failed
 
FGT30E v6.0.9 b0335 (default IPS, AV, WF) - IPSec VPN + FTC 6.0.9.0277: Skype - failed, Teams - failed
FGT30E v6.0.9 b0335 (IPS only) - IPSec VPN + FTC 6.0.9.0277: Skype - failed, Teams - failed
FGT30E v6.0.9 b0335 (default IPS, AV, WF) - IPSec VPN + Native VPN Win10: Skype - ok, Teams - ok
FGT30E v6.0.9 b0335 (IPS only) - IPSec VPN + Native VPN Win10: Skype - ok, Teams - ok
FGT30E v6.0.9 b0335 (default IPS, AV, WF) - IPSec VPN + FTC EMS 6.2.6 b0910: Skype - failed, Teams - failed
FGT30E v6.0.9 b0335 (IPS only) - IPSec VPN + FTC EMS 6.2.6 b0910: Skype - failed, Teams - failed
FGT30E v6.0.9 b0335 (default IPS, AV, WF) - IPSec VPN + FTC VPN 6.2.x: Skype - failed, Teams - failed
FGT30E v6.0.9 b0335 (IPS only) - IPSec VPN + FTC VPN 6.2.x: Skype - failed, Teams - failed
 
FGT30E v6.2.3 b1066 (default IPS, AV, WF) - IPSec VPN + FTC 6.0.9.0277: Skype - failed, Teams - failed
FGT30E v6.2.3 b1066 (IPS only) - IPSec VPN + FTC 6.0.9.0277: Skype - failed, Teams - failed
FGT30E v6.2.3 b1066 (default IPS, AV, WF) - IPSec VPN + Native VPN Win10: Skype - ok, Teams - ok
FGT30E v6.2.3 b1066 (IPS only) - IPSec VPN + Native VPN Win10: Skype - ok, Teams - ok
FGT30E v6.2.3 b1066 (default IPS, AV, WF) - IPSec VPN + FTC EMS 6.2.6 b0910: Skype - failed, Teams - failed
FGT30E v6.2.3 b1066 (IPS only) - IPSec VPN + FTC EMS 6.2.6 b0910: Skype - failed, Teams - failed
FGT30E v6.2.3 b1066 (default IPS, AV, WF) - IPSec VPN + FTC VPN 6.2.x: Skype - failed, Teams - failed
FGT30E v6.2.3 b1066 (IPS only) - IPSec VPN + FTC VPN 6.2.x: Skype - failed, Teams - failed
 
Skype and Teams work with old version of FortiClient 5.6.6.
Any idea how to setup Fortigate IPSec VPN and FortiClient 6.2.x without tunnel split?
 
 
#12
jasonbeebe
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/04/09 08:59:40
  • Status: online
Re: Microsoft Teams and VPN IPsec dialup 2020/04/09 09:01:27 (permalink)
0
My company is having the exact same issues.  We are using Forticlient 6.2.6.  I have logged a support case with Fortinet.  I will post if a solution is found.
#13
Greg
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/04/08 01:15:25
  • Status: offline
Re: Microsoft Teams and VPN IPsec dialup 2020/04/10 00:28:36 (permalink)
0
No solution from support. I found in FTC 6.2.3 Release Notes: "581852 Skype call does not work through FortiClient (Windows) dialup IPsec VPN". The "newest" version which works for me is 6.0.2.0128. No information from support why FTC 6.0.9 and FTC EMS 6.2.6 b0910 blocks Skype and Teams.
Forget about FortiClient for Windows IPSec VPN. Buggy since 6.0.3.
Workarounds:
- IPSec VPN tunnel split (I now - risky)
- Native Windows Client
- SSL VPN
So many months with no solution. Frustrating.
#14
jasonbeebe
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/04/09 08:59:40
  • Status: online
Re: Microsoft Teams and VPN IPsec dialup 2020/04/10 08:40:04 (permalink)
0
I can second that there is no solution from support.  The response from them was:
 
This is a newly reported issue, and affects FortiClient versions 6.0.3 to 6.2.6.
The issue seems to only affect users on IPSec VPN tunnels, SSL VPN connections have no issue.

There is currently no workaround at present.
#15
Jump to:
© 2020 APG vNext Commercial Version 5.5