Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
avp
Staff
Staff

Created on ‎01-21-2025 01:27 AM Edited on ‎01-21-2025 09:39 PM By Community Manager

Article Id 371477

Technical Tip: SSL VPN connected but traffic is not going out from FortiGate

Description

This article explains the scenario in which SSL VPN status shows connected, sent-out packets getting increased in the FortiClient Dashboard but proper communication is not happening. While checking from FortiGate, only incoming packets from ssl.root interface are seen. No outgoing packets are seen.

 

FortiGate-120G # diagnose sniffer packet any " host 10.10.23.254 and host 192.168.20.100" 4 0 l
interfaces=[any]
filters=[ host 10.10.23.254 and host 192.168.20.100]
2025-01-18 16:38:52.222940 ssl.root in 192.168.20.100 -> 10.10.23.254: icmp: echo request
2025-01-18 16:38:52.651925 ssl.root in 192.168.20.100 -> 10.10.23.254: icmp: echo request
2025-01-18 16:38:57.656103 ssl.root in 192.168.20.100 -> 10.10.23.254: icmp: echo request
2025-01-18 16:38:58.718683 ssl.root in 192.168.20.100 -> 10.10.23.254: icmp: echo request


Or, FortiGate will send back an ICMP unreachable message to the client's PC:

 

2025-01-18 17:01:12.944218 ssl.root in 192.168.20.100 -> 10.10.10.254: icmp: echo request
2025-01-18 17:01:12.944235 ssl.root out 172.168.17.1 -> 192.168.20.100: icmp: net 10.10.10.254 unreachable
2025-01-18 17:01:13.621157 ssl.root in 192.168.20.100 -> 10.10.10.254: icmp: echo request
2025-01-18 17:01:18.622133 ssl.root in 192.168.20.100 -> 10.10.10.254: icmp: echo request
2025-01-18 17:01:18.622153 ssl.root out 172.168.17.1 -> 192.168.20.100: icmp: net 10.10.10.254 unreachable
2025-01-18 17:01:19.630179 ssl.root in 192.168.20.100 -> 10.10.10.254: icmp: echo request

 

Where 192.168.20.100 is the SSLVPN user's IP, 10.10.23.254 is the destination IP and 172.168.17.1 is the management interface IP. 
Scope FortiGate.
Solution
  1. Check and verify whether an active policy is available in the firewall for the destination address.
  2. A proper route should be configured in FortiGate towards the destination.
  3. Even though both routes and policies are verified, there is a chance that the destination interface and ssl.root interfaces are configured in different VRFs:-

 

edit "ssl.root"
    set vdom "root"

    set vrf 10 <----- Here VRF is set to 10.
    set allowaccess ping https
    set type tunnel
    set alias "SSL VPN interface"
    set snmp-index 34
next

 

In this case, all other interfaces are in the default VRF, and ssl.root is in VRF10. This VRF can be unset for ssl.root interface so that all the  source and destination interfaces will be in the same VRF:-

 

config system interface
    edit "ssl.root"
    unset vrf
end

 

This will unset the VRF10 for ssl.root interface and then it will be in the default VRF. 

 

Related article:

Technical Tip: Virtual routing and forwarding ID configuration
503
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.