Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vtsonev
Staff
Staff

Created on ‎02-25-2025 02:23 AM

Article Id 378735

Technical Tip: SSID tunnel mode clients connected to Remote access VPN configured on the FortiGate, cannot access internal resources

Description This article describes that if clients are connecting to tunnel mode SSID on the FortiGate and use VPN to connect to internal resources, then the connection won't work.
Scope FortiGate v7.4.X and v7.6.X.
Solution

When clients connect to tunnel mode SSID and then establish a dialup IPsec configured on the interface on the FortiGate, then the traffic to internal resources may not work as expected.

 

In this scenario the clients can establish the IPsec connection, however, when trying to access some resources via the tunnel, the clients won't succeed. When using diagnose commands, it's observed that the traffic is dropped by the FortiGate due to "reverse path check fail, drop" error:

 

2025-02-24 13:13:15 id=65326 trace_id=4 func=print_pkt_detail line=5873 msg="vd-root:0 received a packet(proto=1, 10.10.10.2:1->172.18.1.22:2048) tun_id=10.10.10.2
from Guest WiFi. type=8, code=0, id=1, seq=43."
2025-02-24 13:13:15 id=65326 trace_id=4 func=ipsec_spoofed4 line=245 msg="src ip 10.10.10.2 match selector 0 range 10.10.10.2-10.10.10.2"
2025-02-24 13:13:15 id=65326 trace_id=4 func=init_ip_session_common line=6062 msg="allocate a new session-0016c8ab"
2025-02-24 13:13:15 id=65326 trace_id=4 func=iprope_dnat_check line=5472 msg="in-[Guest WiFi], out-[]"
2025-02-24 13:13:15 id=65326 trace_id=4 func=iprope_dnat_tree_check line=834 msg="len=0"
2025-02-24 13:13:15 id=65326 trace_id=4 func=iprope_dnat_check line=5497 msg="result: skb_flags-02800008, vid-0, ret-no-match, act-accept, flag-00000000"
2025-02-24 13:13:15 id=65326 trace_id=4 func=ip_route_input_slow line=2268 msg="reverse path check fail, drop"
2025-02-24 13:13:15 id=65326 trace_id=4 func=ip_session_handle_no_dst line=6148 msg="trace"

 

Configuration example:

 

config system interface

    edit "Guest WiFi"
        set vdom "root"
        set ip 192.168.1.1 255.255.255.0
        set type vap-switch
        set device-identification enable
        set role lan
        set snmp-index 18
        set ip-managed-by-fortiipam disable

    next

        edit "Remote User VPN"
            set vdom "root"
            set type tunnel
            set snmp-index 21
            set interface "wan1"
        next

 

config wireless-controller vap
    edit "Guest WiFi"
        set ssid "Guest WiFi"
        set passphrase ENC XXX
        set schedule "always"
    next

 

config vpn ipsec phase1-interface
    edit "Remote User VPN"
        set type dynamic
        set interface "wan1"
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256 aes256-sha1
        set comments "Remote User VPN "
        set wizard-type dialup-forticlient
        set xauthtype auto
        set authusrgrp "usergroup"
        set ipv4-start-ip 10.10.10.1
        set ipv4-end-ip 10.10.10.11
        set dns-mode auto
        set ipv4-split-include "Remote User VPN_split"
        set psksecret ENC XXXXX
    next
end

 

There is a workaround for this problem if the setting capwap-offload is set to disable. 

 

config system npu

    set capwap-offload disable

end
298
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.