Troubleshooting Tip: SSL VPN stopped working, FortiGate responding with RST

sagha · ‎01-13-2025

Description

This article describes the scenario where a working stops working and an RST response packet can be seen on the FortiGate.

Scope

FortiGate, FortiOS, SSL VPN.

Solution

SSL VPN configured is fully functional. However, it stops working without any SSL VPN config changes.

config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set port 10443
set source-interface "Internet"
set source-address "all"
set source-address6 "all"
set default-portal "full-access"
end

On the FortiGate, incoming traffic can be seen with a response as RST, not letting TCP 3-way handshake established.

Internet in 172.16.10.3.51308 -> 192.168.10.1.10443: syn 3088753788

Internet out 192.168.10.1.10443 -> 172.16.10.3.51308 : rst 3088753789

A VIP is added on the same destination port as SSL VPN, stopping it from working as before.

config firewall vip
edit "Test-VIP"
set uuid 83191566-d198-51ef-c4a3-4ff8e841cf94
set extip 192.168.10.1
set mappedip "10.10.10.1"
set extintf "any"
set portforward enable
set extport 10443
set mappedport 443
next
end

To fix this:

Delete the VIP.
Use a different extport on VIP.
Use a different SSL VPN port.

Troubleshooting Tip: SSL VPN stopped working, FortiGate responding with RST

You are leaving our website