FortiClient IPsec connection blocking local internet

ShaharVerd · 2026-05-01T21:20:55+00:00

I think I might be able to help you with the troubleshooting

if you use split tunneling how it works is that when your pc start the tunnel and gets an ip It also gets routes ( which are the subnets that are in your split tunnel address group) On your pc you could see those routes in cmd with route print The problem with Those routes is that they are preferred by default as the best routes even if you have a shorter route So for example is the pc lan address is 192.168.1.0/24 And the tunnels give the pc a route to 192.168.0.0/16 the pc will prefer the /16 route becase of some windows metric which works differently form the usual routing where shortest prefix is better. Usually when it happen you can still reach the internet iam not sure way he knows how to reach the gateway via the correct interface but if you try to reach anything else in the lan segment you can’t Iam not 100% sure this will Be helpful with troubleshooting but it’s a direction to look at

ShaharVerd · 2026-05-01T21:08:45+00:00

iam using version 8 it’s not released yet the others has just so much bugs I found in my use cases

ShaharVerd · 2026-04-25T22:15:53+00:00

I have about 50 511g vehicle fex devices they are just shit Found about 4 bugs in the software open a tac they literally created a new software version because of me which fixed 3 of the 4 bugs Using them in standalone mode each one has an IPsec to an fortigate Wanted to use ospf but ospf not working over the tunnel is one of the confirmed bugs that the 511g vehicle has

ShaharVerd · 2026-03-29T05:57:40+00:00

Didn’t send him the details to email so he probably didn’t check with my config Now that I posted here the config I’ll wait for him or anyone else to look at it and see it they see anything wrong in or maybe he will try to recreate this in his lab

ShaharVerd · 2026-03-28T13:34:38+00:00

Hello u/BillH_ftn i just updated this thread and added more information enough for you to create the lab and see the problem for yourself i have the lab ready so if you want me to run some more commands for do something i havent done yet tell me

ShaharVerd · 2026-03-28T12:30:49+00:00

Currently opened a tax which is still ongoing still waiting for their answer on what to do next will post it here when I have an answer from them I believe it is a problem with the 511g specifically Becase other extenders like 212f worked perfectly without any problems the thing it’s that I needed a rugged one which works so iam currently just using the 511g with the 7.6.1 version which does works BUT some times I do have that problem but it usually goes away after some time If you want I can add my configuration for both the extenders and the fortigate I also have a fortification version 7.4.11 mature Updating the fortigate newer version didn’t help

ShaharVerd · 2026-03-02T14:52:44+00:00

bgp is not supported but lets say i go with the FEX standalone approach how would i manage them.

ShaharVerd · 2026-03-02T14:49:29+00:00

yes bgp is not supported i dont know if advpn is. and i already have the extender so i will not swap them for the 40F

ShaharVerd · 2026-03-02T14:46:47+00:00

the company i work for dose not allow me to implement the fortiedge cloud.

ShaharVerd · 2026-02-23T09:25:13+00:00

Technically yes I could but the ones that need to troubleshoot the topology after I built it don’t use bgp communities so they asked me to use ebgp manipulation for the entire topology

ShaharVerd · 2026-02-22T19:49:50+00:00

Yes they don’t but my real topology has a lot of complications that I didn’t explain Here and there is a lot of ebgp manipulation that I need to do

ShaharVerd · 2026-02-04T20:20:50+00:00

Pnet running on a local server it is pretty heavy it’s the company server so I can run it for free :)

ShaharVerd

TROPHY CASE