Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JohnAgora
Contributor

Can't access Fortigate through VPN

Hello,

 

We have 4 Fortigates (5.2.7) on one network.

Each has a public IP, but for security reasons I want that we can only access them through a VPN.

So I set up an IPSec Dialup VPN. It works fine with FortiClient on Mac.

Then I put a FW rule to access each of the devices on the internal IP (10.x.x.1-10.x.x.4) on ALL services and doing NAT, so each FW don't need to know that 192.168.1.x (IP of the clients connected) is behind FW 1.

I can do SSH and ping with no problems.

Anyhow I can't access the devices through HTTPS (I change HTTPS to port 4443), it doesn't load properly.

Sometimes I can see the login page, other I get a timeout, others loads badly, etc.

"diagnose debug flow trace" show the traffic flows normally.

 

 

Any idea what can it be?

 

Thanks!

6 REPLIES 6
emnoc
Esteemed Contributor III

So you ran diag debug flow and it shows no problems? I would double check the service-port and allowaccess.

With sslvpn you can enable ssl.root  interface with "set allowaccess ssh icmp snmp https" for example. If you have this set, unset it and re-apply in  fortiOS 5.0.xx we ran into issues with set allowaccess not working as expect and it required a reset.

 

Also, In a dialupvpn interface mode, you will do the same thing but on the  exatc dialup interface. Also I would run a diag sniffer packer <interface name> " port 443 or 4443" and see if the tcp SYN is being received.

 

Lastly, make sure any set trusthost allows for the  dialup ipsec ipv4 pool address ranges

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
JohnAgora

Hello,

 

Allowaccess is properly configured since I can access sometimes (and I've double check it) to the devices.

The VPNs are IPSec.

What I don't get to understand is why SSH and ping works fine.

But HTTPS sometimes works poorly (bad GUI, very slow), sometimes it just don't work and very very rarely it works fine.

The Internet connections is stable.

Are there any know bugs that affect like this? (I haven't found any).

 

Thanks!

emnoc
Esteemed Contributor III

Could be  TCP/MSS issues since you ssh works fine.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
JohnAgora

I thought about that, do some testing and the MTU is 1500 (normal).

Anyhow, I put a tcp-mss of 1350. It went a little bit faster sometimes, but I still can't access properly though https...

Any other idea?

kanya

Hi, I've got exactly the same problem. I can connect to ipsec vpn and everything work as expected. Only problem is when trying to access the fortinet web interface (through port 8443) it just so slow and mostly timeout. Any ideas?

 

Edit: downgrade the firmware to 5.2.3 and the problem is gone

JohnAgora

I haven't found a complete solution.

Anyhow the problem was mainly on OSX, so we use Windows for accessing the devices.

We believe it is an issue with Forticlient (we've also had crashes of the OS).

 

Cheers

Labels
Top Kudoed Authors