Troubleshooting Note: Error message 'Destination address of Split Tunneling policy is invalid'
Description
In FortiOS firmware version 4.0 MR3 and v5.0, the following message may appear during the SSL VPN tunnel mode configuration on a FortiGate unit:
"Destination address of Split Tunneling policy is invalid"
Scope
Article valid from FortiOS firmware version 4.0 MR3 until FortiOS firmware version 5.0.x.
Solution
The root cause of this error message is that the SSL-VPN firewall policy can not be left with Destination Address = ALL, if tunnel mode is used with split tunneling enabled.
The Destination Address must be defined with the appropriate subnet located behind the destination interface.
Example:
In FortiOS firmware version 4.0 MR3 and v5.0, the following message may appear during the SSL VPN tunnel mode configuration on a FortiGate unit:
"Destination address of Split Tunneling policy is invalid"
Scope
Article valid from FortiOS firmware version 4.0 MR3 until FortiOS firmware version 5.0.x.
Solution
The root cause of this error message is that the SSL-VPN firewall policy can not be left with Destination Address = ALL, if tunnel mode is used with split tunneling enabled.
The Destination Address must be defined with the appropriate subnet located behind the destination interface.
Example:
config firewall address edit "dmz_network" set associated-interface "dmz" set subnet 172.16.31.0 255.255.255.0 next config firewall policy edit 30 set srcintf "wan1" set dstintf "dmz" set srcaddr "all" set dstaddr "dmz_network" set action ssl-vpn set schedule "always" set service "ANY" set logtraffic enable set nat enable set groups "vpn_users_tunnel" next |
Related Articles