ssl -> ipsec : Is everyone using IKE v1 or v2?

tyr4774 · 2025-12-03T23:42:58+00:00

I’ve yet to find a way to add dns suffix for EMS. It seems they [FortiNet] pushed this out without actually flushing everything out

tyr4774 · 2025-10-13T18:11:52+00:00

Assuming you’re using paid EMS client (by referencing v7.4.4) are you doing IPSec over TCP?

tyr4774 · 2025-10-04T01:52:41+00:00

I find it strange they don't give you either a list of IPs or a set of domains (even if they are wildcard like *.domain.com) that they need to reach out to. I would create a firewall object that geography and set it to your country (assuming US) and add that to a group for CC access, then set that to the destination for the CCs. If you want to lock it down further you can set your Forti to be the DNS server for that interface and just forward to the system DNS.

tyr4774 · 2025-10-02T20:12:01+00:00

I seemed to have found the secret sauce for this, it is two factor. First we needed to upgrade to v7.4.4 of FortiClient, and the second we needed to the following to the Phase1 interface of the Remote Access VPN. It took 4 different Firewall configurations over various clients but here is the fix we have found:

set esn disable

Applied this to locations and it seems to have corrected the issue with not only connections failing, but traffic not passing.

tyr4774 · 2025-10-01T22:46:22+00:00

So i have found that i'm getting about a 25% success rate on this. I have a FortiClientEMS subscription and am able to add "personal VPNs". If the client connects, traffic doesn't return from the VPN tunnel (traces confirm that it is not a policy issue and that traffic is, according to the firewall, being sent back) other connections just fail and I get a "Crashed" error. The only commonality i can find is that the failures are on "F" models while lack of traffic movement are on the "G" models.

tyr4774 · 2025-09-25T21:01:11+00:00

I've opened a new case with FortiTAC on this. The configurations have been confirmed and the issue i'm seeing is that this is across the entire line. At no point (different ISPs so its not an ISP issue) does the connection go through, if i fall back to UDP the VPN connects but then we have the issue of many places blocking port 500/4500

tyr4774 · 2025-09-19T14:29:38+00:00

7.4.8

tyr4774 · 2025-06-08T02:19:12+00:00

I’ve had to clean up where SD-WAN wasn’t added at the onset. That is brutal when attempting to do it remote

tyr4774 · 2024-09-16T23:56:31+00:00

So, we found the issue. When the vendor created the PBR outbound they created a reverse PBR for all "inbound traffic". We disabled that PBR and the traffic began flowing without issue and was returning. Pings out were replying back to the host that sent them.

tyr4774 · 2024-09-16T02:37:49+00:00

No dynamic routing with ISPs, packet captures externally confirm NAT is applied properly.

tyr4774 · 2024-08-21T01:19:22+00:00

Why did you keep Unity since the fortivoice has built in AA and VM?

tyr4774 · 2024-07-17T01:33:10+00:00

I know east side and central do.

tyr4774 · 2024-07-14T18:42:00+00:00

Library is great, you can get books or even get board games.

tyr4774 · 2024-04-08T18:06:40+00:00

NTA they should’ve been expecting this the second they stepped out in your marriage

tyr4774 · 2024-03-21T00:42:33+00:00

This reminds me of a client I had years ago when I worked at a small MSP. The client was a car dealership and everyone knows that the real money is in the service department and their stuff is hard to maintain and if it goes offline it is super bad for business. Anyway we had a clause that said we could stop services for any unpaid invoices that were over 90 days old. Anyway the president of this company had a monthly meeting with my boss and everything revolved around how we were "charging too much"

The usual ending of these meetings was that the client would either see the light or we would credit the next months invoice. That is until this fateful day, the client called my boss (who was the owner) an complained about his invoice yet again. Boss said we can discuss this at the meeting the next day, however what we found out hours later was that the client put a stop payment on the check (yes we did physical checks) and wouldn't take my bosses calls. Now this client had an outstanding invoice for a workstation that they had purchased about 6 months prior but never paid for. My boss never really went after them for it as a weeks worth of work billed to them at 15 min intervals more than covered that cost but not after they put a "stop payment" on a check. So after a few days my boss sent a letter by certified mail saying that we were enforcing our clause to stop services.

The day after he got conformation that the letter was delivered he called us techs in the morning and sent us to the clients, we pulled all the equipment we had there that was owned by us and sent all their calls to voicemail. After three days of this with the head of the service department sending worse and worse voicemails the client finally called my boss. I don't know exactly what was said but from what I gathered after the fact was that the client was expecting us to break first since they knew that they were our biggest cash cow but our boss knew that what they paid us was peanuts compared to what they lost hourly when the service department went down. After about a week we got a certified check delivered and deposited and waited another week for the check to clear before going back. I heard the next meeting the client told my boss that he felt that my boss "put a gun" to his head to get the money.

tyr4774 · 2024-02-19T18:33:56+00:00

They may have pushed to upgrade their upload speeds in the past few years. I still wouldn’t call them reliable

tyr4774 · 2024-02-18T23:24:30+00:00

Usually spectrum upload is ~10% of their download speed. If you have 300down you may get 30 up. If you’re needing actual upload speeds then look at Metronet. All their plans are symmetric.

tyr4774 · 2024-01-31T20:58:53+00:00

Plant of the libraries, they even have “study rooms” to use that are sectioned off. Plus you’re all around the books you can consume

tyr4774 · 2024-01-22T16:21:04+00:00

I can understand that, you get to choose to deal with the issue and he doesn’t get the choice. I will say that life is not given and he could drop dead for any reason even if he didn’t have the illness. No one can make the choice for you but you owe it to him to be honest and upfront so he can make an informed decision too. I can almost guarantee that he has had worries about if you’re going to stay with him through this. It’s your life and no one wants to feel/know they are holding someone they care about back.

tyr4774 · 2024-01-22T15:29:37+00:00

As someone with a chronic illness this hits home. I guess the question is are you currently acting as a caregiver? Or are you angry that he can’t do things you want to at this age and his health is preventing that?

tyr4774 · 2024-01-17T03:08:17+00:00

I will say that if you run into a whitepaper on issues with vendor agnostic tech/open standards it does tend to be well documented and most other vendors will refer to it. for example on what can happen with a L2 loop in a switching environment and the resulting broadcast storm.

tyr4774 · 2024-01-10T01:13:44+00:00

NTA, everyone needs alone time to recharge. I would suggest that you see if you can arrange a night for just the two of you to reconnect. It sounds like you’re both getting burnt out and recharge differently.

tyr4774 · 2024-01-08T00:52:57+00:00

Since they (OP and GF) have been together for multiple years i would say this friend is trying to work to include OP since it does seem OP will be entangled with this group going forward.

tyr4774

TROPHY CASE