Skip to main content
Bruisert
Bruisert
New Member
June 11, 2022
Question

SSL VPN over VLAN Interface on WAN

  • June 11, 2022
  • 1 reply
  • 4463 views

To connect directly to my ISP (PPPoE on Fibre) I need to use a VLAN as they need VLAN ID = 10.

 

So I created a VLAN sub interface on the WAN port, and it connects well. This is a new 61F with firmware at 7.2.0

 

Everything I need works well, however my SSL VPN will not complete the connection.

 

Using the Forticlient VPN Only I get 40% through the connection and then:

Warning. Failed to establish the VPN connection. This may be caused by a mismatch in the TLS version. .... (-5029)  The Win 10 PC this is running on has TLS 1.1, 1.2 and 1.3 running.

 

Use the web access, I can login and then try to use RDP. It starts connecting but then fails with a message of "Connection closed!"

 

Looking at "Log & Report > System Events > VPN Events" I can see the test connection opening and closing, but not the VPN tunnel opening.  (SSL-exit-error; SSL-alerts)

 

I also reviewed logs, and in summary found this: failure reason="DH lib"

 

Does the WAN config with the VLAN approach that I've set up support what I'm trying to do?  (I'm trying to avoid using the added hardware of an ISP router configured as a bridge)

Any other suggestions welcome.

1 reply

sjoshi
Staff
sjoshi
Staff
June 12, 2022

Hi Bruisert,

 

Thank you for posting to the Fortinet Community Forum.

 

As per your problem description I can understand that you are facing issue while connecting to ssl vpn and it is getting stuck at 40%

 

As you have asked "Does the WAN config with the VLAN approach that I've set up support what I'm trying to do"//
Yes, we can configured the ISP link in the vlan and call the same vlan interface in the ssl vpn settings as the server interface

 

You have got the following error
"This may be caused by a mismatch in the TLS version. .... (-5029)"

 

Please share me the below output.

 

SSH1:-
diag debug reset
diagnose debug console timestamp en
diagnose vpn ssl debug-filter src-addr4 x.x.x.x - Here x.x.x.x is the public IP of the user connecting.
diag debug appl sslvpn -1
diag debug appl fn -1
diag debug enable

wait till the VPN disconnect, disable the logs by executing

diag debug disable
diag debug reset

 

SSH2:-
config vpn ssl settings
get

Cross verified the following settings once as you have mentioned
"The Win 10 PC this is running on has TLS 1.1, 1.2 and 1.3 running."

 

Also please go through the link for you reference:-
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Possible-reasons-for-FortiClient-SSL-VPN/ta-p/211965

 

Let us know if this helps.

 

Thanks

Thanks, Salon
Bruisert
BruisertAuthor
New Member
June 13, 2022

Thanks. In seeing through the above direction I found the following:

 

  1. SSL VPN App - I still can't get the VPN app from the Windows store to work. Is this expected to work?  I use ?ice=1 at the end of the URL to ignore certificate issues, and use the custom port assigned.
  2. SSL VPN Forticlent VPN only - Yay, I got this working. Turns out the custom SSL port being used was not persisting when updated in the 'custom port' field, only when entered within the Remote Gateway URL field.  Seems I'd missed this will all the other 'noise' going on.
  3. SSL VPN Web - Still fails when trying to use RDT. Not too concerned here as I don't intend using this service.

 

Please answer point 1 above, otherwise thanks for your support and I'm good to go now.

sjoshi
Staff
sjoshi
Staff
June 13, 2022

Hi @Bruisert,

 

You can download the forticlient vpn app from your support portal.

 

Please find the link for your reference:-

https://community.fortinet.com/t5/FortiClient/Technical-Tip-How-to-download-FortiClient-offline-installer/ta-p/197679

 

Thanks

 

 

Thanks, Salon
Terms & ConditionsAccessibility statement