Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kmohan
Staff
Staff

Created on ‎02-05-2025 02:42 AM Edited on ‎02-06-2025 03:27 PM By Staff

Article Id 374831

Troubleshooting Tip: IPSEC Dial-up VPN over VIP to access the specific websites

Description

 

This article describes how to troubleshoot the issue with traffic flow from IPSEC Over VIP Configuration.

 

Scope

 

FortiGate.

 

Solution

 

Once the configuration is done, run the below command line to verify the VIP address configured on IP-POOL.

 

Open the CLI and run the following:


diagnose debug flow filter addr x.x.x.x
diagnose debug flow show function-name enable

diagnose debug flow show iprope enable
diagnose debug flow trace start 200
diagnose, debug, enable

 

Verify the debug logs, verify with Policy (IPSEC to Lan), and IP POOL, if VIP is added on the multiple policies with outgoing 'Wan Interface'.
Check If the WAN interface is associated with VIP policy or not, then specify with IPSEC Interface instead of WAN Interface on IP POOL.

 

Change from Wan interface to Specific IPSEC dial-up interface on the IP POOL; same change on the policy also. Now, disconnect the FortiClient VPN and re-connect it. Once the VPN is connected, the specific URL will be accessible.

292
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.