Login

u/Fun_Efficiency6189

▲ 1 r/fortinet

FortiClient EMS - VPN Auto-Connect/Always-Up stops working until manual "Connect" is clicked

I’m running FortiClient EMS 7.4.7 managing 16 production servers. All are configured with IPsec VPNs, Always-Up, and Auto-Connect enabled.

Occasionally, a tunnel drops and stays down indefinitely. The strange part is that the FortiClient service is still running and the endpoint is "Synchronized" with EMS, but it makes zero attempts to reconnect on its own.

Observations:

  • No auto-recovery: Even though Always-Up is active, the FortiGate logs show no incoming Phase 1 attempts once the tunnel is down.
  • If I log into the server and simply click the "Connect" button in the FortiClient Console, the VPN establishes immediately. No service restart or reboot is required.
  • EMS Sync doesn't help: Pushing a profile update from EMS shows as "Success" on the console, but it doesn't trigger the client to actually start the connection.

It seems like the "Auto-Connect" logic hits a specific error state and just stops trying until a user manually interacts with the GUI. Has anyone found a way to make the Auto-Connect more persistent or experienced this "silent failure" of the Always-Up flag?

reddit.com
u/Fun_Efficiency6189 — 22 hours ago
▲ 1 r/fortinet

VPN tunnel stays down despite Always-Up and Auto-Connect (Even after EMS Profile Sync)

Hi everyone,

I’m running FortiClient EMS 7.4.7 managing 16 production servers. All are configured with IPsec VPNs, Always-Up, and Auto-Connect enabled.

Occasionally, a tunnel drops and stays down indefinitely. The strange part is that the FortiClient service is still running and the endpoint is "Synchronized" with EMS, but it makes zero attempts to reconnect on its own.

Observations:

  • No auto-recovery: Even though Always-Up is active, the FortiGate logs show no incoming Phase 1 attempts once the tunnel is down.
  • If I log into the server and simply click the "Connect" button in the FortiClient Console, the VPN establishes immediately. No service restart or reboot is required.
  • EMS Sync doesn't help: Pushing a profile update from EMS shows as "Success" on the console, but it doesn't trigger the client to actually start the connection.

It seems like the "Auto-Connect" logic hits a specific error state and just stops trying until a user manually interacts with the GUI. Has anyone found a way to make the Auto-Connect more persistent or experienced this "silent failure" of the Always-Up flag?

Thanks!

reddit.com
u/Fun_Efficiency6189 — 22 hours ago
▲ 2 r/fortinet

FortiClient 7.4.6 IPsec Flapping on Windows Server 2019 (Build 17763)

Hi everyone,

I'm facing a persistent IPsec VPN stability issue on a specific Windows Server 2019 (Build 17763) instance running FortiClient 7.4.6.0891.

The Setup:

  • Endpoint: Windows Server 2019, managed via EMS.
  • VPN Config: IPsec IKEv2, Always-on, Auto-connect enabled.
  • Gateway: FortiGate (FortiOS).
  • Network: The server is behind a different WAN/Provider compared to our other stable servers.

The Problem: The tunnel stays stable for hours, then suddenly enters an infinite reconnection loop. During the loop, the FortiGate logs show Phase 1 succeeding, followed by an immediate delete_phase_sa and phase2_down.

A manual disconnect/reconnect on the client "clears" the state and it stays stable again for a while, but the issue eventually returns.

What I’ve noticed:

  • Other servers with the same OS build but on different WANs/Locations are perfectly stable.
  • The "flapping" starts exactly when a re-negotiation is triggered or after a minor network hiccup.
u/Fun_Efficiency6189 — 1 day ago