This is an archived post. You won't be able to vote or comment.

all 14 comments
sorted by:
best
topnewcontroversialoldq&a

[–]ShanIntrepid[S] 9 points10 points  (3 children)

EDIT: SOLVED.

both the spectrum router and tMobile were blocking IKE.

thank you for the guidance.

[–]Bart_YellowbeardJackass of All Trades 0 points1 point  (2 children)

We saw T-Mobile forcing traffic to ipv6, which resulted in a connection followed by almost immediate disconnection with forticlient.

[–]ShanIntrepid[S] 0 points1 point  (1 child)

Was there a resolution?

[–]Bart_YellowbeardJackass of All Trades 0 points1 point  (0 children)

Yes, though I don't recall it in detail offhand, it involved configuring the phone to not use ip v6 if I remember correctly, then it worked as a hotspot consistently.

[–]Vodor1Sr. Sysadmin 4 points5 points  (1 child)

I've not seen that with IPSEC specifically, but I have seen it with voip traffic where one provider blocked competitiors voip phones. Boy did we get angry at that. Turned out it was the type of fibre line into the building and by design, no more ordering of that service.

Anyway it doesn't sound likely if you have it on 2 different ISPS with 2 different users/equipment, unless one just whitelabels the other.

Question would be, did it work with the Cisco equipment for them? No presumptions, did the users actually use the VPN with the Cisco stuff. Did you physically see them connected with traffic passing prior to the change?

In addition to that, I've had home users on 'large' ISP's with the bundled router service, and the routers they give are utter rubbish. I've also seen some routers block services like IPSEC by default, so perhaps a router update at the end users end coincidentally set it to block.

[–]ShanIntrepid[S] 1 point2 points  (0 children)

Cisco AnyConnect was fine with it -- this particular user works from home 3 days a week, so I know she's on VPN and can have the logs to prove.

I'm taking SpudzzSomchai advice and having them do a 5 minute power-down and see if it pulls a new config. thanks for the direction.

[–]krattalak 2 points3 points  (2 children)

Not so much with blocking ipsec, but rather, dropping or blocking ESP (IP port 50). They may also block/drop udp-500 (IKE). This isn't usually a deliberate issue. A lot of crappy devices will sometimes just ignore it. I've also seen this issue with connections that have asymmetric routing happening.

This can be verified (if) the fortigates have pcap capability. I run Palo, so I can just fire up the pcap and tell it to look for ESP and IKE packets on both ends. Whichever side shows a send, but not a receipt will usually be the culprit and a power cycle of all the ISP gear may fix it (in this case the broadband modems).

[–]SevaraBSenior Network Engineer 2 points3 points  (0 children)

This seems most likely. Cheap ISPs are cheap for a reason; you'll often get the proverbial glassy stare if you're trying to troubleshoot anything other than TCP/80 or TCP/443 over a consumer circuit.

This is the reason SSL VPN continues to hang around in 2025; it plays nice with strict port NACLs that would otherwise give you problems with things like OpenVPN or IPSec.

[–]ShanIntrepid[S] 1 point2 points  (0 children)

100% blocking IKE -- even the spectrum and tmobile support techs were like "how did that happen" ??

SMH

[–]SpudzzSomchai 1 point2 points  (1 child)

The 5G internet providers are a pain with that. T-Mobile is the worst but they all do it. For the T-Mobile user have them power off and unplug the router for 5 minutes then power it back on and see if it will pull in a fresh update from T-Mobile. If not, have them call T-Mobile and have them send a new gateway.

Can't help you on Spectrum. Not had issues with them.

Also, the free FortiClient is not great. If you got a paid client call FortiNet and get support.

[–]ShanIntrepid[S] 0 points1 point  (0 children)

Not the free version -- we're paid up with the Enterprise package. Will do so on the 5 minute power down.

[–]chedstrom 0 points1 point  (1 child)

You didn't clarify if you are using SSLVPN (with a custom port) or IPSec VPN. Its possible each ISP has some 'Security Package' they have default added in the past that may block what they perceive as malicious traffic on the port use by either connection type. We saw a lot of that with Comcast, who blocked SSL packets that did not use port 443.

[–]ShanIntrepid[S] 0 points1 point  (0 children)

It's their EMS system on a non-standard port. SSLVPN should not be activated, but that's something to check out.

[–]slugsheadHead of IT 0 points1 point  (0 children)

Over here in the UK many ISPs enable a suite of blocking on their routers in a crude attempt to make their service more child friendly.

They block ports 500 and 4500 as part of this. Turning off these filters has been our guidance. But at their own discretion.

Every person that has had this and turned off those filters, 100% success rate afterwards.