Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kgeorge
Staff
Staff

Created on ‎06-17-2025 12:58 AM

Article Id 396749

Technical Tip: 'ERR_CONNECTION_TIMED_OUT' while accessing Internal Server through ZTNA Access Proxy

Description

 

This article describes how to diagnose and troubleshoot issues related to accessing the Internal Server through ZTNA Access Proxy.

 

Scope

 

FortiSASE and FortiGate.

 

Solution

 

While accessing the Internal Server via FortiClient Endpoint that is hosted behind FortiGate through ZTNA integrated with FortiSASE, if there is 'ERR_CONNECTION_TIMED_OUT' seen on the web browser, and if the WAD Debug is seen with entries below,

 

[I] wad_http_req_detect_special: captive_portal detected: true
[E] wad_http_req_handle_special: spoofed HTTP request for portal.

 

The issue could be due to the following reasons:

  • When the request appears to be unauthenticated or misaligned with the expected session parameters.
  • The Session is getting closed after the TCP forwarding is completed. This could be due to policy mismatch, authentication failure, or unexpected request pattern.
  • FortiClient endpoint is trying to access the resources before the authentication is completed.

 

Sample outputs of the WAD Debug.

 

GET /tcp?address=10.12.1.196&port=80&tls=0 HTTP/1.1
Host: x.x.x.x:8443
User-Agent: Forticlient
Accept: */*
Upgrade: tcp-forwarding/1.0
Connection: Upgrade
Cookie:
Authorization: Basic

[V][p:4810][s:295777583][r:117440524] wad_http_marker_uri :1288 path=/tcp len=4
[V][p:4810][s:295777583][r:117440524] wad_http_parse_host :1666 host_len=18
[V][p:4810][s:295777583][r:117440524] wad_http_parse_host :1702 len=13
[V][p:4810][s:295777583][r:117440524] wad_http_parse_host :1711 len=4
[I][p:4810][s:295777583][r:117440524] wad_http_str_canonicalize :2213 enc=0 path=/tcp len=4 changes=0
[I][p:4810][s:295777583][r:117440524] wad_http_str_canonicalize :2215 end=4 path=address=10.12.1.196&port=80&tls=0 len=33 changes=0
[V][p:4810][s:295777583][r:117440524] wad_http_normalize_uri :2324 host_len=13 path_len=4 query_len=33
[I][p:4810][s:295777583][r:117440524] wad_http_req_detect_special :14961 captive_portal detected: true, preflight=(null) <---------- Captive Portal is triggered
[V][p:4810][s:295777583][r:117440524] wad_saml_sso_path_check :591 Check sso path h=124.43.233.94:8443 p=/tcp node=(nil)
[I][p:4810][s:295777583][r:117440524] wad_vs_proxy_match_gwy :4178 1:CF_ZTNA_SVR: matching gwy with vhost(_def_virtual_host_)
[V][p:4810][s:295777583][r:117440524] wad_vs_proxy_match_vhost :4239 1:CF_ZTNA_SVR: matching vhost by: 124.43.233.94
[V][p:4810][s:295777583][r:117440524] wad_vs_matcher_map_find :661 Empty matcher!
[V][p:4810][s:295777583][r:117440524] wad_vs_proxy_match_vhost :4242 1:CF_ZTNA_SVR: no host matched.
[I][p:4810][s:295777583][r:117440524] wad_vs_proxy_match_gwy :4197 1:CF_ZTNA_SVR: matching gwy by (/tcp) with vhost(_def_virtual_host_).
[V][p:4810][s:295777583][r:117440524] wad_pattern_matcher_search :1207 pattern-match succ:/tcp
[I][p:4810][s:295777583][r:117440524] wad_vs_proxy_match_gwy :4215 1:CF_ZTNA_SVR: Matched gwy(3) type(tcp-fwd).
[I][p:4810][s:295777583][r:117440524] wad_http_srv_selector_static_make :1013 make static server selector.
[I][p:4810][s:295777583][r:117440524] wad_vs_gwy_tcp_dst_ovrd :3139 1:CF_ZTNA_SVR:3: req(0x7f992e6340) query(address=10.12.1.196&port=80&tls=0)
[I][p:4810][s:295777583][r:117440524] wad_vs_gwy_tcp_get_parameters :2910 1:CF_ZTNA_SVR:3: got the addr=10.12.1.196.
[I][p:4810][s:295777583][r:117440524] wad_vs_gwy_tcp_dst_ovrd :3175 1:CF_ZTNA_SVR:3: req(0x7f992e6340) found the server by matching ip(10.12.1.196).
[E][p:4810][s:295777583][r:117440524] wad_http_req_handle_special :13162 spoofed HTTP request for portal.
[V][p:4810][s:295777583][r:117440524] wad_http_clt_read_sync :1939 hs=0x7f990ee8c8 pause=(0/0x0) ret=-1 execute=wad_http_clt_read_req_line
[I][p:4810][s:295777583][r:117440524] wad_ssl_app_port_out_ops_close :17955 sp=0x7f9a3a5d88/10 closed=0 out_shutdown=0 graceful=1
[V][p:4810][s:295777583][r:117440524] wad_ssl_app_port_out_ops_sync :17756 sp=0x7f9a3a5d88/10 plain down stream state=3
[I][p:4810][s:295777583][r:117440524] wad_ssl_app_port_txn_write :17642 wsp=0x7f9a3a5d88/10 sync plain down stream len=0
[I][p:4810][s:295777583][r:117440524] wad_ssl_app_port_txn_write :17655 wsp=0x7f9a3a5d88/10 total fwded len=0, status 0
[I][p:4810][s:295777583][r:117440524] wad_http_session_free :14715 http cache session 0x7f990ee8c8 req=0x7f992e6340 close

 

The primary reason for this issue could be due to conflicting port numbers in the ZTNA Server configuration and Captive Portal under Authentication Settings.

 

To fix this issue, change the port number for Captive Portal under Authentication settings. The default port is 7830. Sample output of ZTNA Server and Authentication settings with the same port number.

 

config firewall vip
    edit "CF_ZTNA_SVR"
    set type access-proxy
    set extip x.x.x.x
    set extintf "wan2"
    set server-type https
    set extport 8443
    set ssl-certificate "Fortinet_SSL"
  next
end

 

config authentication setting
    set active-auth-scheme "ZTNA_AUTH_SCH"
    set captive-portal-type ip
    set captive-portal-ip x.x.x.x
    set captive-portal-port 8443 <------
end

576
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.