Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
js2
Staff
Staff

Created on ‎04-24-2020 10:44 PM Edited on ‎11-04-2024 10:18 AM By Staff

Article Id 197908

Technical Tip: Reasons for the 'iprope_in_check() failed' error in SSL VPN

Description

 

This article describes possible causes when SSL VPN is not getting connected and when the traffic reaches the firewall, but the firewall does not respond.

 

Scope

 

FortiGate.

Solution


Make sure there is no VIP or IP pool conflicting with the VPN listening address. Additionally, confirm that there is a firewall policy associated with the SSL VPN interface configured, that the authentication/mapping is set with the user group, and that there is no policy route matching the traffic.
For more details, refer to the configuration guide for SSL VPN.

Take a packet capture on the firewall and ensure the traffic is received.
In this case, the SYN packet is sent by the client. However, the firewall does not respond with SYN+ACK.

 

2020-04-23 07:32:35.980933 wan in 1.1.1.1.55031 -> 4.5.9.2.10443: syn 2487955987
2020-04-23 07:32:36.980701 wan in 1.1.1.1.55031 -> 4.5.9.2.10443: syn 2487955987
2020-04-23 07:32:38.981467 wan in 1.1.1.1.55031 -> 4.5.9.2.10443: syn 2487955987

 

Verify if there was any crash observed for the SSLVPND process.

 

diag debug crashlog read

 

Capture a debug log and verify if any drop occurred.

 

id=20085 trace_id=1 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=6, 1.1.1.1:10568->4.5.9.2:10443) from lan4. flag [S], seq 1191361412, ack 0, win 8192"
id=20085 trace_id=1 func=init_ip_session_common line=5666 msg="allocate a new session-000133ab"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2596 msg="find a route: flag=80000000 gw-4.5.9.2 via root"
id=20085 trace_id=1 func=fw_local_in_handler line=420 msg="iprope_in_check() check failed on policy 0, drop"

 

Check if there is any ‘source-address-negate’ option enabled in SSL VPN settings.
Any 'source-address' listed under SSL VPN settings will be blocked.

Note: Do not include all addresses. Doing so will cause the firewall to drop all VPN connections.

 

config vpn ssl settings

set source-address-negate {enable | disable}

 

Check the kernel iprope was installed correctly, particularly the iprope entry with <SSL-VPN destination port>.

Run the following diagnostics commands on the target FortiGate:

 

diagnose netlink interface list <SSL listeining port>

diagnose firewall iprope list 10000e

 

Related article:
VPN SSL settings - FortiGate CLI reference.

Troubleshooting Tip: SSL VPN Troubleshooting

Technical Tip: FortiGate SSL VPN best practices guide

Technical Tip: SSL VPN with external DHCP Server

Technical Tip: How to increase the SSL-VPN tunnel mode bandwidth for small model (multi SSL-VPN clie...

Troubleshooting Tip: Error 'SSL-VPN slow file transfer issue'

Troubleshooting Tip: Checking maximum number of SSL VPN users using ‘diagnose vpn ssl statistics’

Technical Tip: FortiGate IPSec VPN Resource List

Technical Tip: FortiGate Resource Lists

 

Labels:
4904
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.