Description
This article describes possible causes when SSL VPN is not getting connected and when the traffic reaches the firewall, but the firewall does not respond.
Scope
FortiGate.
Solution
Make sure there is no VIP or IP pool conflicting with the VPN listening address. Additionally, confirm that there is a firewall policy associated with the SSL VPN interface configured, that the authentication/mapping is set with the user group, and that there is no policy route matching the traffic.
For more details, refer to the configuration guide for SSL VPN.
Take a packet capture on the firewall and ensure the traffic is received.
In this case, the SYN packet is sent by the client. However, the firewall does not respond with SYN+ACK.
2020-04-23 07:32:35.980933 wan in 1.1.1.1.55031 -> 4.5.9.2.10443: syn 2487955987
2020-04-23 07:32:36.980701 wan in 1.1.1.1.55031 -> 4.5.9.2.10443: syn 2487955987
2020-04-23 07:32:38.981467 wan in 1.1.1.1.55031 -> 4.5.9.2.10443: syn 2487955987
Verify if there was any crash observed for the SSLVPND process.
diag debug crashlog read
Capture a debug log and verify if any drop occurred.
id=20085 trace_id=1 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=6, 1.1.1.1:10568->4.5.9.2:10443) from lan4. flag [S], seq 1191361412, ack 0, win 8192"
id=20085 trace_id=1 func=init_ip_session_common line=5666 msg="allocate a new session-000133ab"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2596 msg="find a route: flag=80000000 gw-4.5.9.2 via root"
id=20085 trace_id=1 func=fw_local_in_handler line=420 msg="iprope_in_check() check failed on policy 0, drop"
Check if there is any ‘source-address-negate’ option enabled in SSL VPN settings.
Any 'source-address' listed under SSL VPN settings will be blocked.
Note: Do not include all addresses. Doing so will cause the firewall to drop all VPN connections.
config vpn ssl settings
set source-address-negate {enable | disable}
Check the kernel iprope was installed correctly, particularly the iprope entry with <SSL-VPN destination port>.
Run the following diagnostics commands on the target FortiGate:
diagnose netlink interface list <SSL listeining port>
diagnose firewall iprope list 10000e
Related article:
VPN SSL settings - FortiGate CLI reference.
Troubleshooting Tip: SSL VPN Troubleshooting
Technical Tip: FortiGate SSL VPN best practices guide
Technical Tip: SSL VPN with external DHCP Server
Troubleshooting Tip: Error 'SSL-VPN slow file transfer issue'
Troubleshooting Tip: Checking maximum number of SSL VPN users using ‘diagnose vpn ssl statistics’
Technical Tip: FortiGate IPSec VPN Resource List
Technical Tip: FortiGate Resource Lists
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.