Description
This article explains the 'unable to get VPN tunnel IP address (-30)' error and the solution while using Forticlient SSL VPN as the tool.
Solution
- Find the pictures below: two hosts and using FortiClient to establish the SSL VPN.
- From the above images, the first computer can connect to the FortiClient while the second computer gets an error 'unable to obtain an IP address for VPN tunnel (-30)'. Depending on the versions of the error the connection might get stuck at 45% or at 89%.
- Find the debug error below.
2020-04-16 07:09:55 [319:root:41]sslvpn_reserve_dynip:1128 failed to get dynamic IP
2020-04-16 07:09:55 [319:root:41]rmt_fortisslvpn_xml_cb_handler:2398 no more IP address available.
2020-04-16 07:09:55 [319:root:41]req: /FortiClientSslvpnClearCacheUrl/for/Wini
2020-04-16 07:09:55 [319:root:41]def: (nil) /FortiClientSslvpnClearCacheUrl/for/WininetLibrary/1/2/3/4/5/6/7/8/9/0/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t
2020-04-16 07:10:15 [319:root:41]Timeout for connection 0x7f6c36488000. - To get rid of this error, check the address range configured under SSL VPN settings.
-
The above picture shows that there is only 1 IP for FortiClient users and this is why there is this error.
-
Increasing the address range fixes this problem.
GUI:
Solution 2:
If the configuration checks out as per the above steps in Solution 1, it is recommended to verify that the DHCP settings for the tunnel are not pointing towards an external DHCP service.
If the following setting is visible, this creates a conflict as this requires the use of an external DHCP server which prevents the tunnel address range specified from being assigned:
To resolve the issue, unset this setting:
Navigate to SSL VPN settings, VPN -> SSL VPN settings, go to Tunnel mode client settings, and edit the 'Address range'.
Select the option 'Specify custom IP ranges'. Then hover on the address object 'SSLVPN_Tunnel_Addr1' and select the option to edit the address object.
Then edit the range according to the need, here in the below example have increased from 30 new IP addresses. So the new range is from 200 to 240.
Once the range has been edited, hit 'ok' and then hit 'Apply' to save these changes. Then new range can be seen on the GUI.
CLI:
config firewall address
show
edit "SSLVPN_TUNNEL_ADDR1"
set uuid 13249802-2c26-51ee-a70a-e26a1b0deec3
set type iprange
set start-ip 10.212.134.200
set end-ip 10.212.134.210
next
end
(SSLVPN_TUNNEL_ADDR1) # set end-ip 10.212.134.240
(SSLVPN_TUNNEL_ADDR1) # end
After updating the range, any new user should be able to connect to SSL VPN via tunnel mode (FortiClient).
Solution 2:
This issue may also occur due to the DHCP configuration on the portal. In the DHCP debugs on the FortiGate, the following error messages may be visible:
If the configuration checks out as per the above steps in Solution 1, it is recommended to verify that the DHCP settings for the tunnel are not pointing towards an external DHCP service.
config vpn ssl web portal
edit "name_tunnel"
show full | grep ip-mode
show full | grep ip-mode
If the following setting is visible, this creates a conflict as this requires the use of an external DHCP server which prevents the tunnel address range specified from being assigned:
To resolve the issue, unset this setting:
config vpn ssl web portal
edit "name_tunnel"
unset ip-mode
end
end
After, proceed to test. If the issue persists, open a case and contact TAC with the debugs and configuration file.
