Skip to main content
smxko
smxko
Visitor III
February 18, 2025
Question

First IP on SSL-VPN has no network access

  • February 18, 2025
  • 7 replies
  • 3596 views

Hi,

we use SSL-VPN with FortiClient via Entra ID SAML. We have 3 Entra groups for accessing SSL-VPN. The IP range for all clients on SSL-VPN is 192.168.15.1 - 192.168.15.254.

 

Strangely, when a clients gets the assigned the IP 192.168.15.1, FortiClient connects but there's no network access. Bytes sent / received in FortiClient is only a few kbytes. When I view the logs, I see that the Client mostly only does DNS / LDAP requests to our domain controller. But no SMB to our fileserver or whatsoever. When I try to run ICMP to the domain controller, I get a timeout. Wierdly enough, under forward logs I see "PING ACCEPT (240B / 240B) - so from FGT's perspective, it replies to the ICMP request done by 192.168.15.1.

 

I also ran Wireshark on the client and there it gets eaven crazier. When I monitor the SSL-VPN interface, I only see the ICMP reply from the domain controller to the client but not the ICMP request leaving through the SSL-VPN interface.

 

This happend on multiple devices but not on all of them, always when the .1 was assigned. That address is not used anywhere else on the network. I also checked FGT's FIB, the address is not in conflict. As a workaround, I set the assigning IP range starting from 192.168.15.2. But what could possibly be the culprit here? It might be a local problem but I already checked IP conflicts via "route print" and "Get-NetIPAddress" but the IP always was unique to the Fortinet SSL VPN Adapter.

 

 

7 replies

funkylicious
SuperUser
funkylicious
SuperUser
February 18, 2025

hi,

is the same range also set in the sslvpn portals ( source ip pools ) / firewall rules / sslvpn settings ( tunnel mode client settings > address range / automatically assign addresses ) ? maybe a typo was made in a object that is used.

 

as for the routing table, when a computer is assigned that IP can you see it with the command, get router info kernel | grep 192.168.15. as part of any block ? 

"jack of all trades, master of none"
    smxko
    smxkoAuthor
    Visitor III
    February 18, 2025

    Yep, double checked all address objects, on FGT it's all set correctly. On some clients, it is actually working even when the user is in the same SSLVPN Entra Group and gets assigned the .1. That's why I think that this isn't a configuration issue. According to FIB, the IP is bound / routed to the SSLVPN interface.

    So based on these observations, I really think this is a local problem on some clients. Are there any tools, maybe even from Fortinet to debug this?

    funkylicious
    SuperUser
    funkylicious
    SuperUser
    February 18, 2025

    are the users part of the same Entra Group as those that in the past were assigned the .1 IP and didnt work ?

    also, are you using realms/portals to separate the connection for each group or you just created a single realm, the default / , same portal and different user groups were created which reference the saml server and a different object id / group in it ?

     

    "jack of all trades, master of none"
      smxko
      smxkoAuthor
      Visitor III
      February 18, 2025

      I checked all local interfaces for conflicting IPs but there are none. Local Ethernet and WiFi adapters are getting leases from another range.

      thydenode4
      thydenode4
      Explorer II
      May 27, 2025

      What version of FortiClient and FortiOS are you using? We're getting the same issue-with the first IP in the range.

      smxko
      smxkoAuthor
      Visitor III
      May 28, 2025

      We are running FOS 7.2.11 with multiple versions of FortiClient from 7.0.7 - 7.4.3

      thydenode4
      thydenode4
      Explorer II
      June 5, 2025

      Thanks. Same for us. We've raised it to FortiNet TAC to investigate

      jangasupport
      jangasupport
      New Member
      July 25, 2025

      Was this issue ever resolved? We seem to have the same issue

      smxko
      smxkoAuthor
      Visitor III
      August 4, 2025

      Nope, not on my end. We sticked to using the workaround starting with the .2

      CBBG55
      CBBG55
      New Member
      June 13, 2025

      Same here.

      FortiOS 7.2.11 Forticlient 7.4.3 or 7.2.10

      The issue happen only on Windows 11 24H2 PC

      filiaks1
      filiaks1
      Explorer III
      August 4, 2025

      Strange maybe see if ifconfig/route print and nslookup on Windows 11 24H2 PC  and maybe upgrade the forticlient.

       

       

      Also if you have split tunnel maybe stop it just for the testing.

      ThiagoVidal
      ThiagoVidal
      New Member
      January 19, 2026

       

      Hello.

      I'm also having this problem, were you able to solve it?

      I even changed the range, setting it to start on IP 5, but the problem persists (although less frequently).

      thydenode4
      thydenode4
      Explorer II
      February 3, 2026

      The affected users moved off FortiClient altogether so didn't see this one get fixed. I recommend engaging TAC support.

      Terms & ConditionsAccessibility statement