Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kkhushdeep
Staff
Staff

Created on ‎07-30-2024 09:07 AM Edited on ‎08-25-2025 12:57 AM By Community Manager

Article Id 329118

Troubleshooting Tip: SSL VPN user not able to access the local subnet or a host in the local subnet

Description This article covers troubleshooting steps for when the SSL VPN connects but cannot access the local subnet or any host within it. 
Scope FortiGate.
Solution

This article explains how to resolve an issue where the SSL VPN connects but cannot access the LAN or host behind the LAN interface:

  1. Ensure there is a policy to permit access to the internal network. Normally, the source interface is ssl.root, and the destination is the LAN.
  2. Check that the SSL VPN address group and user group are added to the firewall policy.

sslvpn fortigate.png

 

  1. If the policy already exists and split tunneling is enabled, make sure that destination addresses include the local necessary subnets.
  2. Check the SSL VPN portal used by VPN users. If there is no subnet or IP in the Routing Address Override, FortiGate uses the destinations specified in the firewall policy.
                                                                                       
    SSL VPN.PNG

 

  1. After connecting to the VPN, verify the route is present in the routing table of the PC by navigating to the Command Prompt and running the following commands:
  • Windows: route print
  • MAC: netstat -rn

 

If it is still not possible to access the subnet or any host in the subnet, check the following steps:

 

  1. Use the following commands to check if the traffic is coming to the FortiGate:

  
dia sniffer packet any " host x.x.x.x and host y.y.y.y " 4 0 l    

 

Here, x.x.x.x should be the IP address obtained after connecting to the VPN (check this on FortiClient) and y.y.y.y should be the destination IP address. 

If the traffic is coming to the FortiGate, that means the subnet is included in the split tunneling, if split tunnel is enabled.

Use the sniffer for the destination address. In this setup, the destination address is the SSL VPN IP after connecting the VPN.

 

dia sniffer packet any " host y.y.y.y " 4 0 l  

y.y.y.y: the SSL VPN, which should be the IP address obtained after connecting to the VPN (check on FortiClient).

 

  1. Check with the following commands which policy this traffic is hitting and check the routes accordingly. 

 

diagnose debug reset
diagnose debug disable
diagnose debug flow show function-name enable
diagnose debug console timestamp enable
diagnose debug flow show iprope enable
diagnose debug flow filter addr x.x.x.x y.y.y.y and   <- x.x.x.x should be the IP address obtained after connecting to the VPN (check on FortiClient) and y.y.y.y should be the destination IP address.

diagnose debug flow trace start 999 
diagnose debug enable 

 

Try to access the host and disable these debugs by running the following commands after pressing Ctrl+C: 

 

diagnose debug reset 

diagnose debug disable  

 

Related article:

Troubleshooting Tip: SSL VPN Troubleshooting
Preview file
112 KB
Labels:
3043
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.