Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Gianni_Alagna
New Contributor

SSL & IPSec VPN no discovering on LAN, but WAN access OK

Hello There

I'm not able to get into my LAN once SSL-VPN oder IPSec VPN in configured. Both are Working, I can reach as well WAN over VPN, but no Device on LAN shows up. All rule looks like have be set correctly. But Stil not successful. May someone help out with some hints?

Working on a Fortinet FG200F

Thanks in advance for your Feedback...

FortiGate 

5 REPLIES 5
alif
Staff
Staff

Hi @Gianni_Alagna,

 

May be a firewall policy is missing between IPsec/SSL VPN and the LAN interface.

 

Please collect the output of the following commands while trying to access LAN resources over IPsec/SSL VPN.

 

diagnose debug reset
diagnose debug flow filter addr <IP>
diagnose debug console timestamp enable
diagnose debug flow trace start 100
diagnose debug enable

 

After performing the test, you can stop debugging;
diagnose debug disable
diagnose debug reset

Regards,
SFA
Gianni_Alagna

Hi Alif

an LAN policy is already set, but not working;

here the output test (IP Has been replaced by <ip>):

 

2022-08-14 22:03:25 FG200F # 2022-08-14 22:03:25 id=65308 trace_id=32 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-000d520b, reply direction"
2022-08-14 22:03:25 id=65308 trace_id=33 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=6,<ip>:443-><ip>:60250) tun_id=0.0.0.0 from local. flag [.], seq 969117682, ack 396128528, win 85"
2022-08-14 22:03:25 id=65308 trace_id=33 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-000d520b, reply direction"
2022-08-14 22:03:25 id=65308 trace_id=34 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=6,<ip>:443-><ip>:60250) tun_id=0.0.0.0 from local. flag [.], seq 969117721, ack 396128528, win 85"
2022-08-14 22:03:25 id=65308 trace_id=34 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-000d520b, reply direction"
2022-08-14 22:03:25 id=65308 trace_id=35 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=6,<ip>:443-><ip>:60250) tun_id=0.0.0.0 from local. flag [.], seq 969117916, ack 396128528, win 85"
2022-08-14 22:03:25 id=65308 trace_id=35 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-000d520b, reply direction"
2022-08-14 22:03:25 id=65308 trace_id=36 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=6,<ip>:443-><ip>:60250) tun_id=0.0.0.0 from local. flag [.], seq 969118315, ack 396128528, win 85"
...

 

Thanks in advance for your feedback.

Best

alif

Hi @Gianni_Alagna,

 

In the debug flow, local traffic is generated on port 443.

Can you confirm if it is the intended traffic? Both the source and destination IP addresses are shown in the debug flow?

Also, the debug is showing that it is reply traffic.

Regards,
SFA
Gianni_Alagna

Hi @alif ,

thanks for reply. The Port should listen to 10443. But there's no option in  policy config to fix this Port listening. I'm new to Fortinet... and I'm a bit lost on that GUI.

May we have a TeamViewer session, so to check all settings needed together?  

alif

Please create a ticket with Fortinet Support for further investigation.

The TAC team will assist you and answer your queries.

Regards,
SFA