Skip to main content
kuoman
kuoman
New Member
February 1, 2017
Solved

SSL VPN - PC connected via SSL VPN is not ping-able

  • February 1, 2017
  • 1 reply
  • 21991 views

When the PC is connected via SSL VPN, it gets an IP (ie. 192.168.1.101).  The PC can ping any devices on 192.168.1.0/24, however when I tried to ping to the PC (192.168.1.101).  it is not reachable.  Not sure if there is some additional setting that I need to config?

 

Remote PC (192.168.1.101)  <=> FortiGate FW <=> network elements (ie. 192.168.1.50)

 

PING from 192.168.1.101 to 192.168.1.50 works

PING from 192.168.1.50 to 192.168.1.101 is not working (unreachable)

Best answer by Alby23

Do you have configured a policy with Source Interface: your LAN and destination Interface: ssl.root?

1 reply

Alby23
Alby23Answer
New Member
February 1, 2017

Do you have configured a policy with Source Interface: your LAN and destination Interface: ssl.root?

rwpatterson
rwpatterson
New Member
February 1, 2017

Never going to work. The source and destination are on the same subnet. The FGT creates a virtual interface to connect to the LAN. If you look at the VPN monitor you will see the real IP address as well as the address the firewall is handing out to connect in. You MAY be able to ping the ssl-root IP address. I have never tried it, but you will not be able to ping the native address in this situation. This is why I stress when you create your network, don't be lazy and change the subnet on the system to anything but the default. Changing it before everyone gets set up is far easier than after you have 100 devices on it and run into an issue. (case in point)

Alby23
Alby23
New Member
February 1, 2017

If the subnet is more specific that a /24 it could work  even if I think is a /24

 

If the problem is the subnet, neither the ssl --> lan should work but he reports that it's working so two are the scenarios:

 - he has applied nat to the incoming traffic

 - the subnet is more specific

 

If the LAN and the SSL are on the same subnet, anyway, this is not a great problem.

He can easily change the address range assigned to the SSL Clients. No big deal.

Terms & ConditionsAccessibility statement