Skip to main content
andribenjul
andribenjul
New Member
October 12, 2023
Question

Can not establish SSL VPN connection using fortiddns

  • October 12, 2023
  • 5 replies
  • 6762 views

I have followed the tutorial at the following link https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-DDNS-for-SSL-VPN/ta-p/194137, but still cannot connect SSL VPN using DDNS.
I have followed all the exact same methods, but the error Unable to establish the VPN connection still appears. The VPN server may be unreachable.

Please give me advice, thank you.

Untitled.png

 

    5 replies

    bpozdena_FTNT
    bpozdena_FTNT
    Staff
    October 12, 2023

    There is not enough of visible details to give any specific answer. But just based on what can be seen on the DDNS screenshot, the IP address ends with "...87", while based on the SSL VPN settings screenshot, WAN2 is configured with IP address 192.168.1.3.

     

    Make sure the DNS record resolves into the correct IP address and that the IP address is reachable from the client.

    andribenjul
    andribenjulAuthor
    New Member
    October 12, 2023

    My isp does not provide a public ip, so I use dhcp on wan2 and get ip 192.168.1.2.
    On dns I create dynamic dns, enable use ip public, and I get ip 180.244.161.87.
    I have also tried disabling use ip public, but still cannot connect ssl vpn using ddns.
    In firewall policy I set SSL TUNNEL to internal interface, on the source I select SSLVPN_TUNNEL, vpn user, and vpn group, and the destination I select internal group.
    I have also tried in the source section I select all and vpn group.
    I attach screenshots below, please let me know if there are screenshots of my config that you want to see in more detail.forticlientforticlientpolicypolicyddnsddnsdnsdnsinterfaceinterface

    bpozdena_FTNT
    bpozdena_FTNT
    Staff
    October 12, 2023

    You will need to contact your IPS to make the Fortigate routable from the Internet. Either purchase a public IP or ask your ISP to DNAT the traffic to your Fortigate.

    sjoshi
    sjoshi
    Staff
    October 12, 2023

    Dear @andribenjul,

     

    Please share below op during the time of issue.

    PuTTY SSH1:
    ------------

    get vpn ssl monitor
    diagnose vpn ssl list
    diagnose firewall auth list
    dia vpn ssl statistics
    exec vpn sslvpn list
    get system status
    diag vpn ssl stat


    PuTTY SSH2:
    ------------

    diag sys flash list
    diag debug reset
    diagnose debug console timestamp en
    diagnose vpn ssl debug-filter src-addr4 x.x.x.x - Here x.x.x.x is the public IP of the user connecting.
    diag debug appl sslvpn -1
    diag debug appl fn -1
    diag debug enable

    wait till the VPN disconnect, disable the logs by executing

    diag debug disable
    diag debug reset

    andribenjul
    andribenjulAuthor
    New Member
    October 12, 2023

    Hi @sjoshi , I attach the following as your instructions.

    https://www.dropbox.com/scl/fo/najr2r3mv5ld2jiktpci7/h?rlkey=q1q0mdw1zocqlavpizt4o2jfl&dl=0

    hbac
    hbac
    Staff
    October 12, 2023

    Hi @andribenjul,

     

    Your domain name doesn't resolve to the correct IP. It should resolve to your public IP address, not private IP. You can open a ticket with TAC to reset the DNS record because right now, it is tied to 192.168.1.3. 

     

    ping.PNG

     

    Regards, 

    andribenjul
    andribenjulAuthor
    New Member
    October 13, 2023

    HI @hbac thanks for the reply, it's cause i was disable "Use IP Public" at DDNS configuration.

    Then i have enable it, and now it's resolve to Public IP but the ping still has request time out.

    FYI, i can do IPsec site to site with this DDNS, it works normally.

    site to sitesite to sitepingping

    pbangari
    pbangari
    Staff
    October 13, 2023

    Hi,

    Please take debug using below commands and share it here for checking:

     

    diag debug reset
    diagnose vpn ssl debug-filter src-addr4 x.x.x.x - Here x.x.x.x is the public IP of the user connecting.
    diag debug appl sslvpn -1
    diag debug appl fnbamd -1
    diag debug enable

    wait till the VPN disconnect, disable the logs by executing

    diag debug disable
    diag debug reset

    gsekar
    gsekar
    Staff
    October 13, 2023

    Hi andribenjul,

     

    Make sure the DNS record resolves into the correct IP address and that the IP address is reachable from the client.

     

    Please take debug using below commands and share it here for checking:

     

    diag debug reset
    diagnose vpn ssl debug-filter src-addr4 x.x.x.x - Here x.x.x.x is the public IP of the user connecting.
    diag debug appl sslvpn -1
    diag debug appl fnbamd -1
    diag debug enable

    wait till the VPN disconnect, disable the logs by executing

    diag debug disable
    diag debug reset

    Terms & ConditionsCookie settingsAccessibility statement