| Description | This article discusses the cause of Internet traffic being routed out of the ssl.root interface and how to resolve the issue. |
| Scope | FortiGate. |
| Solution |
In this example, the FortiGate is using port1 as the wan interface with IP address 10.9.10.142. Attempting to ping fortinet.com fails, however, the IP address was resolved:
The sniffer shows this traffic is routed out of the ssl.root interface:
There are no routes in the routing table to route this traffic out the ssl.root interface:
There are also no policy routes to cause this traffic to route out the ssl.root interface:
Why is the traffic being routed out of the ssl.root interface:
Checking the kernel routing table with the command “get router info kernel” we can view the routes that make up the actual Forwarding Information Base (FIB) that is used to make forwarding decisions for each packet.
In the kernel routing table, the following routes are found:
11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/, 128.0.0.0/2, 192.0.0.0/9, 192.128.0.0/11 and 192.160.0.0/13. These very large summary addresses are pointing to the ssl.root interface. The addresses cover a larger portion of public IP address space and are being routed to the SSL-VPN tunnel interface.
The cause of this behavior is a misconfiguration of the 'SSLVPN_TUNNEL_ADDR1' IP range address object.
config firewall address edit "SSLVPN_TUNNEL_ADDR1" set type iprange set start-ip 10.10.1.1 set end-ip 192.168.1.100 next end
SSLVPN_TUNNEL_ADDR1 is the default IP range address object used for SSL VPN and cannot be deleted. This IP range address object is used to automatically assign IP addresses to SSL VPN clients, unless another custom IP range is configured. The same issue can occur if another misconfigured address object is used for a custom IP range.
Due to this misconfiguration of an IP range of 10.10.1.1-192.168.1.100, or other extremely large ranges of IPs, all addresses in the IP range have been associated with the ssl.root interface. This is why the large summary routes have been added into the FIB which is viewed in the kernel routing table.
There are two solutions to this issue.
Solution 1: delete the kernel routes (temporary).
The kernel routes can be deleted with the following syntax:
diagnose ip route delete <interface name> <IP address> <subnet mask> <gateway> <distance> <priority>
For example:
diagnose ip route delete ssl.root 11.0.0.0 255.0.0.0 0.0.0.0 0
When deleting a kernel route for ssl.root, the gateway will be 0.0.0.0, the distance is 0, and the priority is 10.
This solution is temporary. If the FortiGate is rebooted the kernel routes will be reapplied and the issue will occur again.
Solution 2: Fix the misconfigured address object (permanent).
The permanent solution to this problem is simple, change the range of the of the 'SSLVPN_TUNNEL_ADDR1' IP range address object or the IP range address object being used for a custom SSL VPN IP range.
config firewall address edit "SSLVPN_TUNNEL_ADDR1" set type iprange set start-ip 10.10.1.1 set end-ip 192.168.1.100 next end
After correcting the extremely large IP range that was configured the large summary routes will be removed from the FIB. This can be verified by once again using the command 'get router info kernel',
The FortiGate can now access the Internet:
For more information on SSL VPN IP address assignments please see the documentation. For more information on configuring Address objects see the documentation.
Related articles: How to configure specific SSL VPN address pool to SSL VPN Users/Usergroup |
