Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Troubleshooting Tip: FortiGate adds incorrect defa...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
| Description | This article describes an issue where a dial-up IPsec VPN user may establish a VPN connection without being assigned an IP address if the configured IP addresses for dial-up clients is exhausted. In this scenario, a default static route with administrative distance (AD) 15 may be automatically added to the routing table, which can lead to connectivity issues for users behind the FortiGate. |
| Scope | FortiGate v7.2.10, v7.2.11, v7.4.8. |
| Solution |
If the IP pool configured for dial-up clients is exhausted, the FortiGate may still allow VPN connections without assigning an IP address to the user.
When this happens, a default static route with AD 15 may be added to the routing table on FortiGate, which can disrupt connectivity for other users behind the FortiGate.
Example configuration:
config vpn ipsec phase1-interface
edit "IPSEC_SAML"
set type dynamic
set interface "port1"
set ike-version 2
set peertype one
set net-device disable
set mode-cfg enable
set proposal aes256-sha256 aes256-sha384
set dpd on-idle
set eap enable
set eap-identity send-request
set ipv4-start-ip 192.168.255.253
set ipv4-end-ip 192.168.255.254
set dns-mode auto
set ipv4-split-include "IPSEC_SAML_split"
set save-password enable
set psksecret XXXXXXX
set dpd-retryinterval 60
next
end
config vpn ipsec phase2-interface
edit "IPSEC_SAML"
set phase1name "IPSEC_SAML"
set proposal aes256-sha256 aes256-sha384
next
end
IKE debugs:
diagnose debug application ike -1
diagnose debug enable .
2025-06-23 12:41:22.154099 ike 0:IPSEC_SAML: could not allocate IPv4 address <-----
2025-06-23 12:41:22.156981 ike 0:IPSEC_SAML: IPv6 pool is not configured
2025-06-23 12:41:22.159941 ike 0:IPSEC_SAML: adding new dynamic tunnel for 10.109.20.103:500
2025-06-23 12:41:22.163416 ike 0:IPSEC_SAML_2: tunnel created tun_id 10.109.20.103/::10.0.0.10 remote_location 0.0.0.0
2025-06-23 12:41:22.168069 ike 0:IPSEC_SAML_2: added new dynamic tunnel for 10.109.20.103:500
2025-06-23 12:41:22.171304 ike 0:IPSEC_SAML_2:61: established IKE SA efc7f7f6432d6a4a/9a070e598b8444de
2025-06-23 12:41:22.174837 ike 0:IPSEC_SAML_2:61: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0, mode_cfg=0
2025-06-23 12:41:22.178572 ike 0:IPSEC_SAML_2:61: processing INITIAL-CONTACT
2025-06-23 12:41:22.181315 ike 0:IPSEC_SAML_2: flushing
2025-06-23 12:41:22.183509 ike 0:IPSEC_SAML_2: flushed
2025-06-23 12:41:22.185638 ike 0:IPSEC_SAML_2:61: processed INITIAL-CONTACT
2025-06-23 12:41:22.188419 ike 0:IPSEC_SAML_2:61: mode-cfg assigned (2) IPv4 netmask 255.255.255.255
2025-06-23 12:41:22.193044 ike 0:IPSEC_SAML_2:61: mode-cfg ignoring range 0:10.212.134.200-10.212.134.210:0, only ip/subnet supported
2025-06-23 12:41:22.197944 ike 0:IPSEC_SAML_2:61: mode-cfg send (3) IPv4 DNS(1) 96.45.45.45
2025-06-23 12:41:22.201470 ike 0:IPSEC_SAML_2:61: mode-cfg send (3) IPv4 DNS(2) 96.45.46.46
2025-06-23 12:41:22.205097 ike 0:IPSEC_SAML_2:61: mode-cfg send INTERNAL_IP6_SUBNET
2025-06-23 12:41:22.208432 ike 0:IPSEC_SAML_2:61: mode-cfg IPv6 DNS ignored, no IPv6 DNS servers found
2025-06-23 12:41:22.212568 ike 0:IPSEC_SAML_2:61: mode-cfg send APPLICATION_VERSION 'FortiGate-VM64 v7.2.10,build1706,240918 (GA.M)'
2025-06-23 12:41:22.217502 ike 0:IPSEC_SAML_2:61: mode-cfg send (28673) UNITY_SAVE_PASSWD
2025-06-23 12:41:22.221115 ike 0:IPSEC_SAML_2:61: client auto-negotiate is disabled
2025-06-23 12:41:22.224522 ike 0:IPSEC_SAML_2:61: client-keep-alive is disabled
2025-06-23 12:41:22.227704 ike 0:IPSEC_SAML_2:61: add INTERFACE-ADDR4 169.254.1.1
2025-06-23 12:41:22.231054 ike 0:IPSEC_SAML_2:61:IPSEC_SAML:21: replay protection enabled
2025-06-23 12:41:22.234514 ike 0:IPSEC_SAML_2:61:IPSEC_SAML:21: set sa life soft seconds=43188.
2025-06-23 12:41:22.238640 ike 0:IPSEC_SAML_2:61:IPSEC_SAML:21: set sa life hard seconds=43200.
2025-06-23 12:41:22.242977 ike 0:IPSEC_SAML_2:61:IPSEC_SAML:21: IPsec SA selectors #src=1 #dst=1
2025-06-23 12:41:22.246893 ike 0:IPSEC_SAML_2:61:IPSEC_SAML:21: src 0 7 0:0.0.0.0-255.255.255.255:0
2025-06-23 12:41:22.250815 ike 0:IPSEC_SAML_2:61:IPSEC_SAML:21: dst 0 7 0:0.0.0.0-255.255.255.255:0
2025-06-23 12:41:22.254579 ike 0:IPSEC_SAML_2:61:IPSEC_SAML:21: add dynamic IPsec SA selectors
2025-06-23 12:41:22.258311 ike 0:IPSEC_SAML_2:61:IPSEC_SAML:21: added dynamic IPsec SA proxyids, new serial 1
2025-06-23 12:41:22.262299 ike 0:IPSEC_SAML:21: add route 0.0.0.0/0.0.0.0 gw 10.109.20.103 oif IPSEC_SAML(22) metric 15 priority 1 <-----
get router info routing-table database
.
S *> 0.0.0.0/0 [15/0] via IPSEC_SAML tunnel 10.109.20.103, [1/0]
S 0.0.0.0/0 [25/0] via 10.109.31.254, port1, [1/0]
C *> 10.109.16.0/20 is directly connected, port1
C *> 10.109.48.0/20 is directly connected, port10
C *> 10.188.0.0/20 is directly connected, port2
C *> 169.254.1.1/32 is directly connected, IPSEC_SAML
S *> 192.168.255.253/32 [15/0] via IPSEC_SAML tunnel 192.168.255.253, [1/0]
S *> 192.168.255.254/32 [15/0] via IPSEC_SAML tunnel 192.168.255.254, [1/0]
This issue has been resolved in:
These timelines for firmware release are estimates and may be subject to change.
Workaround:
Ensure that the IP pool configured for dial-up VPN users has a sufficient range of available addresses. If needed, expand the pool by adjusting the configuration:
config vpn ipsec phase1-interface
edit "IPSEC_SAML"
set ipv4-start-ip X.X.X.X
set ipv4-end-ip X.X.X.X
next
end
|
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.