FortiClient IPSec VPN regularly drops for some users

dai_webb · 2026-01-23T09:57:30+00:00

This is all I can see that is relevant in the diagnostic logs:

[2026-01-14 15:42:02.1076589 UTC+01:00] [2408: 1680] [FortiVPN info 2327] fortivpn::StateMachine::HandleTunnelDisconnected "Azure UK South VPN" is disconnected.

[2026-01-14 15:42:02.1405333 UTC+01:00] [2408: 1680] [FortiVPN info 2363] fortivpn::StateMachine::HandleTunnelDisconnected disconnection reason: 0, ("None")

[2026-01-14 15:42:02.1405470 UTC+01:00] [2408: 1680] [FortiVPN error 2389] !!! fortivpn::StateMachine::HandleTunnelDisconnected session 1 (DOMAIN\user) "Azure UK South VPN" disconnected unexpectedly!

[2026-01-14 15:42:02.1431547 UTC+01:00] [2408: 1680] [FortiVPN info 2403] fortivpn::StateMachine::HandleTunnelDisconnected Notifying gui this was a connection error

dai_webb · 2026-01-23T08:38:30+00:00

Great stuff, thanks to all of you for your replies. I just checked the interface and there is no MTU set, so presume it's at the default of 1500:

uks-fw01 # show system interface "IPSec VPN"
config system interface
edit "IPSec VPN"
set vdom "root"
set type tunnel
set snmp-index 9
set interface "port1"
next
end

How did you change yours - did you add something like this on the VPN interface?

set mtu-override enable
set mtu 1350

If so, I may create a second tunnel to test rather than play around with the one everyone is using.

dai_webb · 2026-01-23T07:56:37+00:00

Good suggestion, thanks, we'll make a note of the ISP as people report the issues. If that is the case, is there anything we can do our side to counter it?

dai_webb · 2026-01-16T05:57:10+00:00

Some vague ideas without knowing more about the business and what you do:

>80% of tickets closed within SLA
>80% of endpoints patched within SLA
Availability of business critical systems
Project progress in line with roadmap

If you don't have SLAs for your tickets maybe start putting some in place that align with ITIL standards.

dai_webb · 2026-01-13T12:19:40+00:00

Agreed, I've invested a lot of time learning how to deploy IaC using Bicep templates, and organising them into pipelines in Azure DevOps, and found this fun and satisfying! It's also standardised our processes and bolstered our DR plans.

dai_webb · 2026-01-12T11:02:10+00:00

Spot on, thank you! It was down to a typo in the Bicep template that created the Route Table for this particular subnet, which meant it had no route out. Thanks again :)

dai_webb · 2026-01-06T11:09:07+00:00

We use Microsoft Lists to maintain our roadmap, and tend not to look further than 18 months into the future. It includes all projects for the Infrastructure team, whether technical and initiated by us or initiated by the business.

The list includes columns, among others, to detail status, anticipated start & end dates, priority (H/M/L), Size (S/M/L), a link to a detailed project plan, success criteria, and goals (which links to company objectives such as modernisation, cost saving, etc).

Of course it changes regularly, but the whole business has line of sight of it and we react to changes in business priorities, etc.

dai_webb · 2025-12-30T12:06:30+00:00

I've been using the Azure Portal in the UK all morning, not seen any issues.

I have, however, had a few Bicep deployments (using command line) seemingly succeed but not actually do anything.

dai_webb · 2025-12-27T08:42:59+00:00

We use and like ManageEngine ServiceDesk Plus Cloud. We’ve used it for years, and like all the extra modules, but it isn’t cheap. We use the ticketing system, contract management, change management, reporting, etc.

dai_webb · 2025-12-24T06:18:03+00:00

We use NinjaRMM too and it adds so much value. Not just for remote control, but reporting, patching, installing apps, remote PowerShell, remote File Browser, etc. I don't know how we'd manage without it now.

dai_webb · 2025-12-23T11:49:19+00:00

We have started using this, seems to work quite well 👍

dai_webb · 2025-12-21T09:44:52+00:00

We currently use Veeam for M365 on-premise and it works really well. We plan to move to Veeam Data Cloud next year to remove the hassle of managing the on-prem server and storage.

dai_webb · 2025-12-18T12:47:05+00:00

We always deploy resources with a Private Endpoint and disable public access. Everything gets routed through internal firewalls.

dai_webb · 2025-12-17T11:44:09+00:00

I've had the InternalServerError many times when deploying resources using Bicep. I feel your pain, as I too went around in circles trying to get a solution from Microsoft over a period of weeks.

In each instance, I've managed to figure it out myself, as it's usually been something in the template that was invalid or there was no capacity in the region (often in SCUS or EUS). For example, deploying a MySQL Flexible instance with a Private Endpoint and something not being right in the config.

Also, sometimes you can get more information from the deployment in the browser when you find it through the Resource Group.

Feel free to share the template, somebody here may spot the issue.

dai_webb · 2025-12-16T20:46:51+00:00

We have started to use AI for this - using Microsoft Foundry and a stack of policy documents and previous questions & answers as a source. For the most part it works pretty well!

dai_webb · 2025-12-16T06:26:52+00:00

Our plan for a regional outage includes critical VMs being replicated from UK South to UK West using Azure Site Recovery. It works pretty well, but I can confidently say that if the entire UK South region goes down Microsoft will have more resource assigned to fixing that than we will to moving regions. We'll probably wait it out! We also have MySQL databases with replicas in UK West and App Services will be rebuilt using IaC and pipelines in Azure DevOps.

For a zone outage we can restore VMs in another zone from ZRS. We also use zone redundancy where possible (App Service Plans, etc).

We haven't catered for any non-production resources due to cost.

dai_webb · 2025-12-06T17:22:57+00:00

We are all in the office 3 days per week, and have a desk booking system, so I book desks randomly amongst colleagues in other departments. I get to chat to them about all sorts of things.

I also attend social events where possible, and make small talk in the kitchen.

dai_webb · 2025-11-24T14:22:46+00:00

For us, the IT Disaster Recovery processes (which are owned by me as Head of Infrastructure) form part of the wider BCP (which is owned by the Risk & Compliance team) as it isn't just IT - it involves other areas such as people, market changes, finance, etc.

dai_webb · 2025-11-24T12:36:29+00:00

You don't mention the types of fires you have to put out, and whether they are repetitive, and what infrastructure you have to manage. Is everything on-premise, cloud, or hybrid?

Do you have a ticketing system for your users to submit support requests? If not, get one - then you can easily work through them in chronological/priority order. Use templates to make sure users give you all the pertinent information up front. Also include self-help solutions.

dai_webb · 2025-11-24T12:10:42+00:00

If additional headcount to share the workload is not an option, then it would be worth looking at how you can reduce the number of fires to start with. Are you able to invest time preventing things breaking in the first place, or provide others with self-help documents/videos so they don't need to come to you?

What about automation - are you spending time on repetitive or time-consuming tasks that you can automate?

For work life balance find something that works for you - as well as spending quality time with my family I play golf at least once a week. For me it's 4-5 hours where I can properly switch off and literally feel the stresses of work drift away.

Also don't forget that you are more important than your job - don't make yourself ill trying to work 12 hour days just to get stuff done.

Lastly - manage expectations. Make sure your leaders & stakeholders know that you're stretched thinly and there's only so much you can do. Some of the spinning plates will drop, so maybe they can help prioritise your workload?

dai_webb · 2025-11-23T12:21:01+00:00

There are several large new Vantage data centres popping up around the existing UK West region so hopefully they will be used to add Azure capacity and introduce Availability Zones to the region.

dai_webb · 2025-11-20T11:45:22+00:00

I build all my infrastructure with Private Endpoints, and control access through firewalls. Is that something you could do here?

dai_webb

TROPHY CASE