Skip to main content
LK_KT
LK_KT
New Member
July 15, 2015
Question

SSLVPN stops at 10%

  • July 15, 2015
  • 7 replies
  • 63405 views

Hi. I'm trying to fix my SSL VPN connection. It was working before. Then I was changing my config to NAT+Transparent mode. After some changes in config - VPN client couldn't connect and was stuck at 98%. I've manage to fix this by reinstalling FortiClient. After this I could connect to VPN but then had some issues with accessing internal IP of Fortigate. I tried rebooting firewall, then rebooting my computer. It didn't help and also after this I couldn't connect via VPN at all. It was dropping at 10% with error "Unable to establish the VPN connection. The VPN server may be unreachable" I've tried debugging the problem and found this: id=20085 trace_id=3 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, x.x.x.x:7058->y.y.y.y:10443) from port16. flag (S), seq 4236534017, ack 0, win 8192" id=20085 trace_id=3 func=init_ip_session_common line=4527 msg="allocate a new session-00002b07" id=20085 trace_id=3 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop" id=20085 trace_id=4 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, x.x.x.x:7058->y.y.y.y:10443) from port16. flag (S), seq 4236534017, ack 0, win 8192" id=20085 trace_id=4 func=init_ip_session_common line=4527 msg="allocate a new session-00002b08" id=20085 trace_id=4 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop" Seems like something is dropping this traffic.. func=fw_local_in_handler seems like a "Local In" policy. So I've tried adding this: config firewall local-in-policy     edit 1         set intf "port16"         set srcaddr "all"         set dstaddr "all"         set action accept         set service "SSLVPN"         set schedule "always"     next end But it doesn't work. Any suggestions? Like I said - it's strange that it stopped working because from my perspective nothing has changed regarding SSLVPN config.

7 replies

kenneth_Compres
kenneth_Compres
New Member
August 21, 2015

I am having the same problem and no luck, any ideas on this, Bty is still a problem on version 5.2.4

 

 config vpn ssl settings
 
 (settings) # show
config vpn ssl settings
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "VPN_range"
    set port 443
    set source-interface "wan1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "tunnel-access"
        config authentication-rule
            edit 1
                set groups "Security"
                set portal "full-access"
            next
        end
end
 
 (settings) #
AtiT
AtiT
New Member
August 21, 2015

Hi,

I don't know why you are creating a local-in policy. It should be created automatically.

Check the SSLVPN settings whether you have your interface enalbed under the Listen on Interface(s) setting.

After that check the Policy -> Local-In whether you can see the SSLVPN port (in my case 443) open on the selected interface - see the attached image. (I put another interface which is in UP state into the SSLVPN settings and it is visible in the local-in policy).

 

Also be sure that you have policy from ssl interface (default ssl.root) with a user group defined and also you have routing set to this interface.

 

 

vjoshi_FTNT
Staff
vjoshi_FTNT
Staff
August 24, 2015

Hello,

 

May I know the firmware version running on the device?

Do you have dual WAN scenario?

Also, do check the HTTPS management access of the same WAN interface where the SSL-VPN isn't working.

ykonstantakopoulos
ykonstantakopoulos
New Member
August 25, 2015

id=20085 trace_id=3 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"

 

The above error means that that there is no firewall policy to match this traffic, so it drops by policy 0 (implicit).  You need  a wan1->ssl.root authentication policy  where you configure the usergroup..

 

config vpn ssl settings     set servercert "Fortinet_Factory"     set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"     set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"     set dns-server1 x.x.x.x     set source-interface "wan1"     set source-address "all"     set default-portal "full-access"         config authentication-rule             edit 1                 set source-interface "wan1"                 set source-address "all"                 set groups "Your SSL group"                 set portal "Your configured_SSL_Portal"                    end end

 

thx,

 

yiannis

aseques
aseques
Visitor III
February 3, 2016

ykonstantakopoulos@crypteianetworks.com wrote:

id=20085 trace_id=3 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"

 

The above error means that that there is no firewall policy to match this traffic, so it drops by policy 0 (implicit).  You need  a wan1->ssl.root authentication policy  where you configure the usergroup..

 

config vpn ssl settings    set servercert "Fortinet_Factory"    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"    set dns-server1 x.x.x.x    set source-interface "wan1"    set source-address "all"    set default-portal "full-access"        config authentication-rule            edit 1                set source-interface "wan1"                set source-address "all"                set groups "Your SSL group"                set portal "Your configured_SSL_Portal"                  end end

 

thx,

 

yiannis

Thanks so much for this, just wanted to leave a note, on 5.2.5 (don't know if version specific), changing the source interface from the gui doesn't change the authentication rule, I had to edit it within the CLI.

LK_KT
LK_KTAuthor
New Member
September 29, 2015

And that is how I have it done. Still - it's not working. Stops at 10%.

Allwyn_Mascarenhas
Allwyn_Mascarenhas
New Member
September 29, 2015

I had the stopping @ 98% problem which was resolved by disabling ipv6 on my ethernet adapter on the laptop.

 

You can try that and looking at the error in the debug, is the listening interface the same as the one which has a wan -> sslvpn policy with the user? Looks like it just can't find that policy.

rwpatterson
rwpatterson
New Member
September 29, 2015

Let's see if this issue is the firewall or the client. Try connecting to [link]https://108.30.199.87:10443[/link]

 

user: test

pass: testuser

 

You won't be able to access anything. The goal is to see how far along your client gets.

 

Let us know.

LK_KT
LK_KTAuthor
New Member
October 2, 2015

It worked, no problem on my client side.

LK_KT
LK_KTAuthor
New Member
October 9, 2015

So it seems to be a problem on Firewall side. Any other ideas?

rwpatterson
rwpatterson
New Member
October 9, 2015

SSLVPN isn't very hard to configure. In tunnel mode you need a few things:

1) Address entities (can be used to configure the SSL VPN targets)

2) Static route to ssl_root with a lower distance than the default route

3) Policy from wanx/portx to inside entity

4) The users defined either locally (easiest for testing) or through a remote authentication mechanism

5) SSL VPN enabled and configured

 

The first parts are straightforward. The final piece is the one requiring the most thought.

 

Go over those and let us know how much of that is working.

Terms & ConditionsAccessibility statement