WEBUI over ipsec

Question

I have a strange issue.

- Two locations (on different continent) connected via ipsec-vpn.

- Both sites have FGT60D os 6.0.3

- The tunnelinterface have assigned IP-address (Local/Remote) with subnet 255.255.255.255-mask

- The remote site have some policybased routing since some internet-traffic must be routed via internet-connection on HQ.

Everything works fine; both site2site-traffic, and traffic from remote site via HQ to internet. The performence is as expected.

But the FGT-webUI will not load from remote site via the ipsec; the certifcate warning occour as normal but after that nothing is happening. I have tried different browser (Chrome, Edge etc) with same result. I have done some "diag sniffer packet"-sniffing and the packet seems to be routed correctly. When I do rdp-to a comuter on remote site I am able to connect the webUI on the same IP as I failed connect to from the other end. This is the same in both direction; both from remote site to FGT@HQ and from HQ to FGT@remote.

SSH to the Fortigate is working normal over ipsec.

Where could I start digging?

Y

Toshi_Esumi · Answer

Sounds like no routing issues. And assuming there is no "trusthost" issue either allowing all or both subnets.

Then it must be https level. I would enable http temporarily to see any difference. Then start running wireshark to compare packets between local access (success) and remote access over IPsec (failure) to see where/when it breaks down. If client side is waiting for something that it can't get from the FGT, you might need to run packet capture on the FGT side either via GUI or CLI then convert to pcap.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded