Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tedew
New Contributor

Accessing web page by SSL VPN web mode

Hello,

I have an issue with accessing web page by  VPN SSL web mode.

When I'm using forticlient (SSL VPN) everything is OK.

Issue is that page is not openning - after I clicked on bookmark is 

 

My architecture is:

 

INTERNET client with web browser -> FortiG1(Site1)<- ipsec tunel -> FortiG2(Site2) -> Server 

 

Facts:

Pages from Site1 are working by SSL VPN webmode

Pages from Site2 don't work by SSL VPN webmod, i tried few servers

But as mentioned abowe , when I use FortiClient(configured to use SSL VPN Tunel mode)  everything is OK, I can open pages from both sites

 

Could You please advice me where I should start to check ??

 

Thank You

23 REPLIES 23
abarushka
Staff
Staff

Hello,

 

Do both FortiGates run the same firmware?

FortiGate
tedew

Hello,

yes, 7.0.9

abarushka
Staff
Staff

Hello,

 

You may consider to sniff the traffic (diagnose sniffer packet any 'host <server IP>' 4 0 a) and try to trigger the issue. It will help to check whether URL is resolved and TCP and TLS (if applicable) sessions are established. 

FortiGate
tedew

hello,

I make this command on FortiG1(Site1) and then i opned url

result below

 

023-01-13 09:57:00.683389 Internetl-link out 77.245.x.x.2156 -> 10.0.4.7.8080:: syn 2181435520
2023-01-13 09:57:01.675735 Internetl-link out 77.245.x.x.2156 -> 10.0.4.7.8080: syn 2181435520
2023-01-13 09:57:03.675734 Internetl-link out 77.245.x.x.2156 -> 10.0.4.7.8080: syn 2181435520
2023-01-13 09:57:07.685737 Internetl-link out 77.245.x.x.2156 -> 10.0.4.7.8080: syn 2181435520

 

This IP 77.254.x.x. im using to login to SSL VPN Portla

 

Shouldn't FortiG1 change public ip for some privet IP  ??

 

Thanks

abarushka
Staff
Staff

Hello,

 

There can be potentially issue with routing. Based on the name "Internetl-link" I would assume it is WAN interface. You can check whether specific route towards the server exists "get router info routing-table details 10.0.4.7".

FortiGate
tedew

hello,

routing looks OK

 

Routing table for VRF=0
Routing entry for 10.0.0.0/8
Known via "static", distance 20, metric 0, best
* via Link1-ISP tunnel 133.27.x.x
* via Link2-Fiber tunnel 10.254.254.2

 

 

abarushka
Staff
Staff

Hello,

 

Is there policy route configured or tunnel was down? Traffic sniffer indicates that packet towards 10.0.4.7 is sent via Internetl-link interface instead of Link1-ISP/Link2-Fiber

FortiGate
tedew

hello,

no, we don't have Advanced Routing enabled (so policy route also). 

tunel is up , other services between sites are OK

tedew
New Contributor

BTW

IPSEC over ISPs looks like below:

 

 FortiG1(Site1 ISP-a 77.245.x.x)<- ipsec tunel -> FortiG2( Site2 ISP-b 133.27.x.x) 

 

Labels
Top Kudoed Authors