|
Along with the IPv4 address exhaustion, the technology called CGNAT is being used widely by ISPs(such as NBN providers in Australia). CGNAT allows multiple end users to share a single public IPv4 address (pool).
If the ISP does not apply the CGNAT persistence(aka sticky IP), the end user traffic appears to come from a shared public IP address (pool) when interacting with the Internet, this can be verified through a third-party website (e.g. https://whatismyipaddress.com/), a few different public IP addresses can be observed while refreshing the page multiple times.
This behavior brings up a challenge for the end user connecting to SSL-VPN, especially for the FortiGate firmware upgraded to v7.2.11, v7.4.8, and v7.6.1 onwards.
Since the public IP changes frequently, when the client initiates the SSL VPN connection, multiple public IP addresses are tried to connect with the SSL VPN gateway, which triggers the 'source IP check failed'.
To mitigate the issue, the following command is required:
config vpn ssl settings
set auth-session-check-source-ip disable
end
Disabling the setting reduces security. Alternatively, call the ISP to opt out of CGNAT.
|
