Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
epinheiro
Staff
Staff

Created on ‎10-31-2024 11:31 AM

Article Id 354644

Troubleshooting Tip: Workaround for remote users unable to access a multicast server via dial-up IPsec VPN

Description This article describes a workaround to access multicast servers using a VPN for remote users.
Scope FortiGate, VPN, IPsec, SSL VPN.
Solution

When trying to access a Multicast server via a dial-up IPsec VPN, the multicast client receives traffic from the multicast server, but the service does not run.

 

Topology:

2024-10-31_18_27-001390.jpg

 

Related document:

Configuring multicast forwarding 

 

Debugging the flow, the following information can be found: 'No matching IPsec selector, drop'

 

2024-10-31_17_11-001386.jpg

 

The curious point of this log is that all sources and destinations are allowed in the phase 2 selectors.

 

VPN Phase 2 selectors.jpg

 

When using a dial-up VPN with FortiClient, FortiClient will always use its IP address as the destination address in the phase 2 selector. Therefore, the return traffic from its IP to the multicast address via the dial-up VPN will be dropped because the destination address in the phase 2 selectors does not match:

 

Phased 2 selectors changed when connected.jpg

 

As a workaround, SSL VPN can be used and it will work properly:

 

2024-10-31_18_02-001388.jpg

 
366
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.