I've got a weird situation with two users trying to connect to their VPN. One's using Spectrum internet and the other is with T-Mobile. We just switched from Cisco AnyConnect to Fortigate, and now these users can't connect from home at all. But interestingly, if they use their phone's hotspot, it works fine. I even sent a spare laptop home with one of them, and the same VPN connection issues came up. Has anyone encountered something like this or have any ideas on how to fix it?
3 Answers
While it's not exactly blocking IPSEC, some ISPs might drop or block ESP (IP port 50) or UDP-500 (used for IKE). It's usually not intentional; some cheap devices just don't handle it well. If the Fortigate can do packet captures, check for ESP and IKE packets. The side sending packets but not receiving replies could be the issue. Power cycling the ISP equipment might help too!
5G ISPs can be tricky. T-Mobile especially has a reputation for this. I’d recommend having your T-Mobile user power off the router for 5 minutes to see if it updates from T-Mobile. If it doesn't work after that, they might need to call T-Mobile for a new gateway. I can't really help with Spectrum since I haven’t had issues with them. Also, if you’re using the free FortiClient, it might be worth getting support since you're on the Enterprise package.
It’s important to clarify whether you're using SSLVPN or IPSec, as ISPs may have security features that block perceived malicious traffic on certain ports. We've seen Comcast block SSL packets not using port 443. You might want to check the specific settings with your ISPs about any security packages in place.
We're on the Enterprise package, so I’ll reach out for support if necessary. Thanks for the tips!