Sure.... see below....

    edit 6         set name "SSL VPN traffic to SSL VPN traffic"         set uuid 32cd8256-694f-51ea-a654-xxxxxxxxxxxxxx         set srcintf "ssl.root"         set dstintf "ssl.root"         set srcaddr "goodwill-FC-VPN-x.x.x.x_21"         set dstaddr "goodwill-FC-VPN-x.x.x.x_21"         set action accept         set schedule "always"         set service "ALL"         set utm-status enable         set ssl-ssh-profile "certificate-inspection"         set webfilter-profile "monitor-all"         set logtraffic all         set groups "SSL VPN General Users" "SSL VPN CMS Users"         set comments "Used for Remote Support"     next

If it shows up int sniffing and flow debugging: coming in ssl.root and going out ssl.root, it must be the destination machine. So set up a two machines with SSL VPN up and run wireshark on the destination side while pining from the source to the destination.

OK... so here's a couple of tests sniffing packets from the ssl.root interface...

#1. PASS - I have a Cisco ASA in parallel with the FGT-400E that the FortliClients terminate on. I can see traffic flow from Cisco AC to FC-VPN.

#2. FAIL - I then connect a FC-VPN client to FC-VPN client that hits the accept rule and this happens.

Both are to the same destination machine of 172.20.0 6 that is successful from the Cisco AC but not successful from the FortiHairpining.

OK... so here's a couple of tests sniffing packets from the ssl.root interface...

#1. PASS - I have a Cisco ASA in parallel with the FGT-400E that the FortliClients terminate on. I can see traffic flow from Cisco AC to FC-VPN from the internal int to the ssl.root int of the SSL VPN clients.

 [link]https://photos.app.goo.gl/TETgsfecY8pVm8Wn8[/link]

#2. FAIL - I then connect a FC-VPN client to FC-VPN client that hits the accept rule and this happens.

[link]https://photos.app.goo.gl/xuaHHebmFJK8MpKj9[/link]

 Both sniffs are to the same destination machine of 172.20.0.6 that is successful from the Cisco AC but not successful from the FortiClient hairpining on the ssl.root interface.

Then run "flow debug" to see why it's dropped. I would use ping packets for a matter of simplicity. You should see if it's hitting the policy 6 or not as well.

Yeah... this was the damnedest thing and I'm still not sure if I understand it but it's working.

In order to resolve this I needed to modify my ssl tunnel address range used for the client pool. My range was from x.x.x.1 to x.x.x.100. When I modified it to x.x.x.10 to x.x.x.100, access started working. I'm thinking that this range overlapped with some psuedo-ip on the ssl.root interface. Once changed, everything started working.

Thanks for the suggestions. Cheers!

That's one of many reasons we almost never use "range" but "subnet" wherever we configure something under "config firewall address". Very easy to overlook overlaps beyond subnet boundaries.