Skip to main content
H3nrikP
H3nrikP
Visitor III
September 14, 2023
Solved

SSLVPN not working

  • September 14, 2023
  • 6 replies
  • 9051 views

Hi all

 

Have a strange problem with SSL VPN not answering. Have set it up multiple times on other system but only with only one WAN IP. Problem here i think is that it listens on all WAN IP's (11 Wan IPs). Everything is standard otherwise than the port (444) but the service doesn't answer. It's a FG81 running 7.2.5

 

Best regards

 

Henrik

 

Best answer by hbac

Hi @H3nrikP

 

- Please run the following debug flows and try again. 
di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter port 444
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable

- Run 'di deb dis' to disable the debug. 

- Please also make sure you have a firewall policy configured for ssl.root to your internal network. 

 

Regards,

6 replies

spoojary
Staff
spoojary
Staff
September 14, 2023

It will only listen to what wan IP you have configured on the FGT. What happens when you connect to the FCT ? What is the error and the percentage that would give us more info. 

H3nrikP
H3nrikPAuthor
Visitor III
September 14, 2023

Hi there

 

No error message, just no answer from forticlient or https://IP:444

It is enabled on that port, but as you see in the list it listens on all interfaces. I tried to connect to all of them 

Capture2.jpgCapture1.JPG

/Henrik

srajeswaran
Staff
srajeswaran
Staff
September 14, 2023

Do you see the TCP SYN packet coming to firewall? Is firewall sending a RST?

Can you check if there is any local-in-olicy configured (config firewall local-in-policy)?

H3nrikP
H3nrikPAuthor
Visitor III
September 14, 2023

Hi Suraj

Look in the thread, I have posted some stuff..

Regards

 

Henrik

mle2802
Staff
mle2802
Staff
September 14, 2023

Hi there,

Can you please try to connect to VPN and run the following commands:
diag sniffer packet any "host X.X.X.X and port 444" 4 0 l (where X.X.X.X is public IP where you coming from)

Regards,
Minh


H3nrikP
H3nrikPAuthor
Visitor III
September 14, 2023

Hi there.

 

The packets are arriving

Capture1.jpg

xshkurti
Staff
xshkurti
Staff
September 14, 2023

@H3nrikP 
Can you do a packet sniffer on WAN  interface?
diag sniffer packet wan1 "host x.x.x.x port 444" 6 0 1     ----- where x.x.x.x is public IP of your client trying to connect with ssl vpn
to see the communication between host and fortigate.

Another good test would be to try to access web-mode on all IPs listed under WAN interface

H3nrikP
H3nrikPAuthor
Visitor III
September 14, 2023

Capture1.jpg

I did try them all :)

 

Regards

 

Henrik

hbac
Staff
hbac
Staff
September 14, 2023

Hi @H3nrikP

 

We see traffic on port 444 which means the ISP forwarded it to the FortiGate. Can you make sure there is no virtual IP configured on port 444? Please also make sure "source-address-negate" is not enabled. If it is enabled, the "source-address" must not be "all". You can run the following command to check: 
show full vpn ssl setting | grep source

 

Regards, 

hbac
Staff
hbac
Staff
September 14, 2023

Example output: 
Smough-kvm76 # show full vpn ssl setting | grep source
set source-interface "port1"
set source-address "all"
set source-address-negate disable
set source-address6 "all"
set source-address6-negate disable
set auth-session-check-source-ip enable

ekrishnan
Staff
ekrishnan
Staff
November 9, 2023

 Hi,

 

A debug flow filter can also indicate if there is a VIP being configured to use this port, most probably we will see a iprope check failure on the output.

 

#diag de flow filter addr x.x.x.x -->public ip

#diag de flow filter port 444

#diag de flow show iprope enable

#diag de flow show function-name enable

#diag de flow trace start 100

Terms & ConditionsAccessibility statement