FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kcheng
Staff
Staff
Description This article describes that it is not possible to to receive VPN tunnel IP address (-30) despite IP pool is free.
Scope FortiGate, SSL-VPN.
Solution

Sometimes, it is difficutl to connect to SSLVPN and being thrown an error of 'Unable to receive VPN tunnel IP address (-30)'.

 

It is possible to check if there is any exhaustion of SSL-VPN IP pool by checking on the SSL-VPN user list with the following command:


# get vpn ssl monitor

 

get vpn ssl monitor.png

 

 

 

Enable the debug of SSLVPN and ask the user to connect to the SSL-VPN:

 

# diag deb app sslvpn -1
# diag deb en

 

It is possible to find that there is no user connected to SSL-VPN and the following error is shown in the debug log:


ssvpn_reserve_dynip:1103 failed to get dynamic IP

 

error.png

 

To resolve that, proceed to restart SSL-VPN service with the following command:


fnsysctl killall sslvpnd

 

The user should be able to connect to SSL-VPN and obtain an IP successfully. 

Contributors