Skip to main content
dabanjm
dabanjm
Explorer
November 9, 2025
Solved

Remote IPsec user can't access HTTP/HTTPS

  • November 9, 2025
  • 5 replies
  • 1895 views

Hi,

I have created a remote IPsec VPN for remote users. the users can connect to the VPN.

However, they can't access anything in the LAN behind the FortiGate through HTTP or HTTPS.

For example, I can SSH to the FortiGate to manage it; however, I can't access it through HTTP/HTTPS.

I don't have a route issue because I have ping/ssh to the FortiGate/LAN behind it. I don't have a Policy issue as I have allowed all the services.

Model: 401F

Version: v7.6.4.

    Best answer by dabanjm
    Update: resolved by adjusting the MTU.
    Thanks for the help, everyone.
    The issue was the MTU size. Since the FortiGate is behind a MikroTik and routing traffic through both IPsec and MPLS,  this caused packet fragmentation because the default MTU was too high for the combined encapsulation overhead.
    I fixed it by overriding the tunnel MTU:
    config system interface
    edit <IPsec interface>
        set mtu-override enable
        set mtu 1300
        next
    end
    This solved the connectivity issues immediately.
    Used AI to help summarize this troubleshooting fix - hope it helps the next person!

    5 replies

    AEK
    SuperUser
    AEK
    SuperUser
    November 9, 2025

    Hi

    Fist of all, try use "diag sniffer ..." to see if the HTTP(S) requests are reaching the FGT, and if they are forwarded by the FGT.

    Also check your client's proxy configuration. It is probably sending the HTTP(S) requests to somewhere else.

    AEK
      dabanjm
      dabanjmAuthor
      Explorer
      November 9, 2025

      Hi,

      Thank you for your response.

      I have captured the traffic before, and I can see that HTTP(S) requests are reaching the FGT, and FGT is replying (they are doing the TCP handshake); however, suddenly the FGT sends FIN.

      I don't have any issues connecting to the FGT through SSL VPN from another FGT that is connected to it.

      And the issue is not with the FGT's Management only, I have this issue with any LAN device behind the FGT I can ping, SSH, and RDP to, I just can't access them using HTTP(S).

      AEK
      SuperUser
      AEK
      SuperUser
      November 9, 2025

      Then try use the following command to check why FGT is blocking the traffic.

      diag debug flow filter addr x.x.x.x
      diag debug flow filter ...
      diag debug console timestamp enable
      diag debug flow show iprope enable
      diag debug flow show function-name enable
      diag debug flow trace start 100
      diag debug enable

      Once you run the above command, open a web page to an internal server and collect the logs.

      AEK
        ElwinBERRAR
        ElwinBERRAR
        Explorer III
        November 9, 2025

        HTTP(S) failing while SSH/RDP work often means the flow hits an inspection profile that resets incomplete TLS sessions. Check the policy for deep inspection or web filtering and verify the local-in policy isn’t blocking HTTPS on that interface.

        dabanjm
        dabanjmAuthor
        Explorer
        November 10, 2025

        I have disabled all security profiles on the rule, set the certificate inspection to 'no-inspection', and all services are allowed.

        AEK
        SuperUser
        AEK
        SuperUser
        November 10, 2025

        Please share the following:

        • show firewall local-in-policy   (from CLI)
        • show system interface portX

        Where portX is the port connected to your internal services to which you want to access (you can hide the IP).

        AEK
          dabanjm
          dabanjmAuthor
          Explorer
          November 12, 2025

          Please see the output of the requested command in the image below.

          2025-11-12 09_47_54-FortiGate - MHO-FGT-01 — Mozilla Firefox.png

          AEK
          SuperUser
          AEK
          SuperUser
          November 12, 2025

          Nothing abnormal so far.

          Can you check if you have VIPs and policy routes?

          AEK
            AEK
            SuperUser
            AEK
            SuperUser
            November 12, 2025

            The "diag debug flow" output you shared doesn't contain the first lines.

            I mean can you share what is before this line:

            2025-11-10 12:20:38 id=65308 trace_id=672 func=__iprope_check_one_policy line=2190 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
            AEK
              dabanjm
              dabanjmAuthorAnswer
              Explorer
              January 6, 2026
              Update: resolved by adjusting the MTU.
              Thanks for the help, everyone.
              The issue was the MTU size. Since the FortiGate is behind a MikroTik and routing traffic through both IPsec and MPLS,  this caused packet fragmentation because the default MTU was too high for the combined encapsulation overhead.
              I fixed it by overriding the tunnel MTU:
              config system interface
              edit <IPsec interface>
                  set mtu-override enable
                  set mtu 1300
                  next
              end
              This solved the connectivity issues immediately.
              Used AI to help summarize this troubleshooting fix - hope it helps the next person!
                AEK
                SuperUser
                AEK
                SuperUser
                January 6, 2026

                Thanks for sharing.

                AEK
                  Terms & ConditionsAccessibility statement