Description
This article describes how to resolve the error 'SSL VPN Proxy Error. Reason: Access Denied'.
Scope
FortiGate 7.x.x.
Solution
The user sees an error 'SSL VPN Proxy Error. Reason: Access Denied' when accessing a site via the SSL VPN Web Mode.
Firewall Policy configuration:
SSLVPN Debug:
diag debug app sslvpn -1
diag debug enable
.......
[191:root:0]make_proxy_url:79 proxy url :/proxy/326e91ac/http/www.example.com/
[191:root:fc]req: /proxy/326e91ac/http/www.example.com/
[191:root:fc]deconstruct_session_id:709 decode session id ok, user=[local_nathan], group=[SSLVPN],authserver=[],portal=[web-access],host[172.25.181.165],realm=[],csrf_token=[FDD3282F1D31BA27A7DA79DCECCA2FEA],idx=0,auth=1,sid=326e91a5,login=1689275067,access=1689275067,saml_logout_url=no,pip=no,grp_info=[c4mZZB],rmt_grp_info=[]
[191:root:fc]dns_query():296 tried IPv4 0 www.example.com
[191:root:fc]dns_on_read():178 got result <--------- DNS is successful
[191:root:fc]sslvpn_policy_match:2641 checking web session
[191:root:fc]remote_ip=[172.25.181.165], user=[local_nathan], iif=3, auth=1, dsthost=[www.example.com], portal=[web-access] realm=[(null)], dst=93.184.216.34, dport=80, service=[http] <------------ IP Address of the site 93.184.216.34
[191:root:fc]policy_match_check:126 checking policy 1 for incoming policy (iif: 3)
[191:root:fc]policy_match_check:129 checking schedule
[191:root:fc]policy_match_check:136 checking authgrp
[191:root:fc]policy_match_check:145 checking services
[191:root:fc]check_policy_svr:742 service check ok
[191:root:fc]policy_match_check:154 checking ssl mode
[191:root:fc]policy_match_check:159 checking oif admin access
[191:root:fc]policy_match_check:168 checking oif
[191:root:fc]check_pol_oif:850 checking oif to 93.184.216.34
[191:root:fc]check_pol_oif:857 checking port2(0x1041f478)
[191:root:fc]policy_match_check:236 return 1 <-- No matching policy.
.......
To resolve the issue, follow the next steps.
- Create a Firewall Policy with the correct destination interface, destination IP address, and port.
SSL VPN Debug:
.......
[191:root:154]dns_query():296 tried IPv4 0 www.example.com
[191:root:154]dns_on_read():178 got result
[191:root:154]sslvpn_policy_match:2641 checking web session
[191:root:154]remote_ip=[172.25.181.165], user=[local_nathan], iif=3, auth=1, dsthost=[www.example.com], portal=[web-access] realm=[(null)], dst=93.184.216.34, dport=80, service=[http]
[191:root:154]policy_match_check:126 checking policy 2 for incoming policy (iif: 3)
[191:root:154]policy_match_check:129 checking schedule
[191:root:154]policy_match_check:136 checking authgrp
[191:root:154]policy_match_check:145 checking services
[191:root:154]check_policy_svr:742 service check ok
[191:root:154]policy_match_check:154 checking ssl mode
[191:root:154]policy_match_check:159 checking oif admin access
[191:root:154]policy_match_check:168 checking oif
[191:root:154]check_pol_oif:850 checking oif to 93.184.216.34
[191:root:154]check_pol_oif:857 checking port1(0x1046dc68)
[191:root:154]policy_match_check:179 checking address
[191:root:154]policy_match_check:205 policy id: 2, policy position: 1, policy action: accept, address matched: 1
[191:root:154]policy_match_check:126 checking policy 1 for incoming policy (iif: 3)
[191:root:154]policy_match_check:129 checking schedule
[191:root:154]policy_match_check:136 checking authgrp
[191:root:154]policy_match_check:145 checking services
[191:root:154]check_policy_svr:742 service check ok
[191:root:154]policy_match_check:154 checking ssl mode
[191:root:154]policy_match_check:159 checking oif admin access
[191:root:154]policy_match_check:168 checking oif
[191:root:154]check_pol_oif:850 checking oif to 93.184.216.34
[191:root:154]check_pol_oif:857 checking port2(0x1046dc68)
[191:root:154]policy_match_check:223 selected policy id: 2, policy position: 1, policy action: accept
[191:root:154]policy_match_check:236 return 0 <--- Policy matched.
[191:root:154]deconstruct_session_id:709 decode session id ok, user=[local_nathan], group=[SSLVPN],authserver=[],portal=[web-access],host[172.25.181.165],realm=[],csrf_token=[36799D363C3535A1EF89ED84430BA],idx=0,auth=1,sid=7a87211a,login=1689276287,access=1689276287,saml_logout_url=no,pip=no,grp_info=[971zJF],rmt_grp_info=[]
[191:root:154]6 0x7fe362759d00,ssl=0x7fe361b2ac00,(nil),connect to www.example.com:80.
[191:root:154]0x7fe362759d00 doSSLConnect() cookie in: APSCOOKIE_9540045774394454540="Era%3D1%26Payload%3DXHDaDzM515c4oyO7XEtR8DBPN4OGQssULeRuAZovlQujfE+2MFxKEmbwsZgNb2cD%0A4wrGc20khOoQ9Os95zdgQex0jYnbhkYd24IiFKkITx7fw9VlgCL0lK2bsh%2FO8%2F%2FB%0A%26AuthHash%3DLC%2Fl+mgqaGPoIqcVZ8J3d49wMHk%3D%0A"; ccsrftoken_9540045774394454540="1832D4229A51AD819DEA3453246342"; ccsrftoken="1832D4229A51AD819DEA3453246342"; FILE_DOWNLOADING_9540045774394454540="1"; _gd_visitor=87eec270-2ba1-4d5f-8a95-bcb1caa32ee9; _gd_session=0a751240-cb25-4572-8d83-901918f093cd; SVPNCOOKIE=Ari91/vXXZ6BR/qd9LDx2pyShwQjhf03k/GdnBEe4qVOc7sFRU9yqM8hT4Mu+p/Mr9yk180sG2J3stc87Nnt4rQ6LhW49a4DJfAkqT2io4ZFBd8xQww0nUZ8FJwxtmHW3sKsYlhifBlSvuZRCs2tok772QcCIvHf/Kb9Xu92YczbEVothW77AeFs6Nj+qm7Z5F7cIWJo4xrhhActGy2ncuH97tMt28kV/UOV/y7cwh75SDN1KLGAyIQoI1gzhoTQCEnLplXIcZ6PswqHBNQpDbhZH3ewEjM0hOb7fapGE8RAEklEEm89O6k=
[191:root:154]0x7fe362759d00 doSSLConnect() cookie out: ccsrftoken="1832D4229A51AD819DEA3453246342"; _gd_visitor=87eec270-2ba1-4d5f-8a95-bcb1caa32ee9; _gd_session=0a751240-cb25-4572-8d83-901918f093cd
[191:root:154]0x7fe362759d00 fsv_output_req_headers() send header:
GET / HTTP/1.1
Host: www.example.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: ccsrftoken="1832D4229A51AD819DEA3453246342"; _gd_visitor=87eec270-2ba1-4d5f-8a95-bcb1caa32ee9; _gd_session=0a751240-cb25-4572-8d83-901918f093cd
.......
The site will become accessible:
Note: Ensure that FortiGate itself can resolve the correct IP for the relevant FQDN/URL.
