Description

This article describes that if the user cannot RDP into the PC when connected with SSL VPN, but RDP when it is on the same network, and provides troubleshooting steps for this issue.

Scope

FortiGate.

Solution

1. Check the SSL VPN setting. Make sure the user is in SSL VPN setting -> Authentication & portal mapping:

2. If it has a full access portal assigned, check in the portal if split tunneling is enabled.

3. Make sure the SSL VPN to LAN policy has a subnet in which the PC resides as the destination with service ALL or at least RDP.
4. If all the configurations are as stated, try to run the following command:

diagnose debug disable

diagnose debub flow filter saddr x.x.x.x <----- IP user is getting when connected with SSL VPN.

diagnose debug flow filter daddr x.x.x.x <-----PC IP which user is trying to RDP in.

diagnose debug flow show function-name en

diagnose debug flow trace start 999

diagnose debug en

5. If the traffic is being accepted by the SSL VPN to the LAN policy but still not able to RDP, check below, try to run the command:

diagnose sniffer packet any ‘host x.x.x.x and host y.y.y.y’ 4 0 l

Or

diagnose sniffer packet any ‘host x.x.x.x and port 3389’ 4 0 l

6. Here, x.x.x.x is the IP that the user gets when connected with VPN, y.y.y.y ,is the IP of the PC that is RDP into.
7. Check if there is a reply from the PC.
8. Check Logs & Report -> Forward traffic logs and apply a filter with source and destination addresses.
9. If there is 0 Byte in received bytes, check if the Windows firewall is enabled on the PC, disable it, and try again. Make sure there is no other firewall other than FortiGate that can block traffic. Disable if there is any other firewall and try again.

Contact TAC if there is still an issue.