IRCTC (Indian railway ticket booking website)Website Not Accessible Over FortiSASE VPN

IRCTC Website Not Accessible Over FortiSASE VPN – Akamai WAF Blocking Hosting ASN
Issue
Users connected to FortiSASE (VPN mode) are unable to access the IRCTC website. The browser displays:

“An error occurred while processing your request”
Reference #xxx (errors.edgesuite.net)

The website loads successfully when FortiSASE is disconnected.

Environment
FortiSASE in VPN mode

Full SSL inspection enabled (exception configured for IRCTC)

Egress node: Bangalore

Public ASN classification: Hosting

Destination: IRCTC

Cause
IRCTC is protected by Akamai WAF.

Akamai applies strict security controls and commonly blocks traffic originating from Hosting/Datacenter ASN IP ranges, including shared SASE/VPN egress IP pools.

Even with SSL inspection exemptions in place, traffic exiting through a Hosting ASN may be denied at the CDN/WAF layer.

This is an IP reputation classification issue, not a FortiSASE misconfiguration.

Resolution
Configure a Steering Bypass policy in FortiSASE to route IRCTC traffic outside the VPN tunnel.

Steps
Go to FortiSASE Admin Portal

Navigate to Profiles → Traffic Steering (Steering Rules)

Create a new rule:

Action: Bypass

Destination Type: FQDN

Add:

irctc.co.in *.irctc.co.in
Apply the profile and reconnect FortiClient

This forces IRCTC traffic to use the local ISP instead of the FortiSASE egress node.

Validation
IRCTC loads successfully while VPN remains connected

Public IP when accessing IRCTC reflects local ISP

Other corporate traffic continues to use FortiSASE

Notes
Government and banking portals in India may block Hosting ASN IP ranges.
When using shared SASE egress IPs, steering bypass is a recommended workaround.

Other option is to get dedicated IP for FortiSASE and whitelist it at the destination website end.

FORTINET team - This is just my knowledge sharing post, you can validate this and post it as an article which can be useful for many.