Description
This articles describes how the SSL VPN client needs to communicate with another SSL VPN client.
Solution
Create a new policy as shown below.
- Incoming Interface: ssl.root interface.
- Outgoing Interface: ssl.root interface.
- Source: All or SSL VPN client range (address object) and SSL VPN user group.
- Destination: All or SSL VPN client range.
- Schedule: Always.
- Service: ALL.
- Action: accept.
- NAT: disabled.
If split tunnel is enabled in the SSL VPN, add the SSVPN client subnet to the routing address list in the respective SSL VPN portal.
After making changes, test the SSL VPN client-to-client communication.
Make sure the client windows firewall allows this communication.
If the issue is not resolved at this point, open a support ticket in the Fortinet support portal and attach the following:
- FortiGate config file to a support ticket.
- The output of the following commands from sslvpn clients machine.
ipconfig /all
route print
tracert <remote sslvpn client>
- Run the following debug commands in FortiGate using an SSH session and share the output to the ticket as a text file.
diagnose debug reset
diagnose debug flow filter addr x.x.x.x <----- Replace x.x.x.x with the source SSL VPN client IP.
diagnose debug flow filter proto 1
diagnose debug flow trace start 10000
diagnose debug enable
After running the commands, initiate the ping from the client PC.
Later, disable the debug processes with the following commands:
diagnose debug reset
diagnose debug disable
