This issue has hit two machines running windows 8.1 x64 with all updates as of Monday.
When dialing into the VPN on a specific machine, it either hangs at 98% for a long time and then fails, or it says “connected” and then immediately “disconnected.”
When it does this, event viewer logs error 633 or error 631 (it seems to toggle between the two) and error 720.
These are known good credentials, and I have used other known good credentials of my own. I have also used this user’s credentials on my own computer and it works just fine, so the issue is with the computer, not with the user account.
I can ping both the DNS name of the firewall and the IP.
We have several firewalls of Fortigate’s, ranging from a 50D to an 80D. All present the same behavior, and they are over a range of firmware versions. This leads me to suspect the issue is with the computer, not the firewall or it’s configuration. It should also be noted that some 100 other users running on 7 and 8 have no issues with this connection.
One of the computers was local, and due to the urgency of that user’s situation, we ended up nuking and paving the computer, which fixed the issue. While it is good to know this fixes it, I do not want to rampage around nuking machines just because the VPN wont connect.
On computers with this issue, if you go to device manager, you can see in the network devices there are several “WAN Miniports” and most of them have errors where the system could not load the drivers.
If you look at the settings of the adapter in network and sharing center, you can see that the properties of the fortissl is “ISDN Channel Disconnected PPoP WAN Adapter”
As per advice on this forum (I am not allowed to post links. I assure you I am not a spammer. forum.fortinetDOTcom/tm.aspx?m=99307 ) I have removed and reinstalled. I have verified the credentials, and I have disabled IPv6. No change.
As per this post here ( social.technet.microsoftDOTcom/Forums/windows/en-US/e6e8ada8-bc12-4f6f-8de3-1d3fd2ff4931/kb2585542-security-update-causing-ssl-vpn-issues ) I checked for this update. It was not installed. Also as per comments on the same thread, I disabled TLS 1.0 and rebooted with no change.
I contacted Fortigate Support. I ended up being escalated to the highest level of support engineer. At each step, they tried removing the software, resetting the TCP stack, and reinstalling. Then they would use a special tool to fully remove the Fortigate software, and once again resetting the TCP stack and reinstalling. From there they tried newer and older versions of the software. All no change.
They provided me with a tool called "WAN Miniport repair v2 x64" which I had already come across trawling forums, it removes all miniports completely so that you can reinstall them. This yielded no fruit both when I did it, and when the tech did it.
The final senior engineer enabled some tracing, and generated a log that can be seen here ( pastebinDOTcom/raw.php?i=Z4b8mUqh ) He mentioned this line right towards the bottom:
[4840] 02-05 13:43:37:298: Will not initialize CP 8021
He told me that this means the issue is that the PPP device is not properly binding to the TCP stack. I was informed that this is a known issue, and that the problem is on the side of Microsoft.
That was the end of the support call with Fortigate.
Other Notes: The computer is running the latest networking drivers as of this morning, straight from Dell's site.
I will fetch any information you need from me. Thank you in advance for anything you can provide.