I have followed the tutorial at the following link https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-DDNS-for-SSL-VPN/ta-p/194137, but still cannot connect SSL VPN using DDNS.
I have followed all the exact same methods, but the error Unable to establish the VPN connection still appears. The VPN server may be unreachable.
Please give me advice, thank you.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
There is not enough of visible details to give any specific answer. But just based on what can be seen on the DDNS screenshot, the IP address ends with "...87", while based on the SSL VPN settings screenshot, WAN2 is configured with IP address 192.168.1.3.
Make sure the DNS record resolves into the correct IP address and that the IP address is reachable from the client.
My isp does not provide a public ip, so I use dhcp on wan2 and get ip 192.168.1.2.
On dns I create dynamic dns, enable use ip public, and I get ip 180.244.161.87.
I have also tried disabling use ip public, but still cannot connect ssl vpn using ddns.
In firewall policy I set SSL TUNNEL to internal interface, on the source I select SSLVPN_TUNNEL, vpn user, and vpn group, and the destination I select internal group.
I have also tried in the source section I select all and vpn group.
I attach screenshots below, please let me know if there are screenshots of my config that you want to see in more detail.
You will need to contact your IPS to make the Fortigate routable from the Internet. Either purchase a public IP or ask your ISP to DNAT the traffic to your Fortigate.
Dear andribenjul,
Please share below op during the time of issue.
PuTTY SSH1:
------------
get vpn ssl monitor
diagnose vpn ssl list
diagnose firewall auth list
dia vpn ssl statistics
exec vpn sslvpn list
get system status
diag vpn ssl stat
PuTTY SSH2:
------------
diag sys flash list
diag debug reset
diagnose debug console timestamp en
diagnose vpn ssl debug-filter src-addr4 x.x.x.x - Here x.x.x.x is the public IP of the user connecting.
diag debug appl sslvpn -1
diag debug appl fn -1
diag debug enable
wait till the VPN disconnect, disable the logs by executing
diag debug disable
diag debug reset
Hi @sjoshi , I attach the following as your instructions.
https://www.dropbox.com/scl/fo/najr2r3mv5ld2jiktpci7/h?rlkey=q1q0mdw1zocqlavpizt4o2jfl&dl=0
Hi @andribenjul,
Your domain name doesn't resolve to the correct IP. It should resolve to your public IP address, not private IP. You can open a ticket with TAC to reset the DNS record because right now, it is tied to 192.168.1.3.
Regards,
HI @hbac thanks for the reply, it's cause i was disable "Use IP Public" at DDNS configuration.
Then i have enable it, and now it's resolve to Public IP but the ping still has request time out.
FYI, i can do IPsec site to site with this DDNS, it works normally.
Hi,
Please take debug using below commands and share it here for checking:
diag debug reset
diagnose vpn ssl debug-filter src-addr4 x.x.x.x - Here x.x.x.x is the public IP of the user connecting.
diag debug appl sslvpn -1
diag debug appl fnbamd -1
diag debug enable
wait till the VPN disconnect, disable the logs by executing
diag debug disable
diag debug reset
Hi @andribenjul.,
Now that it is resolving correctly, you can go ahead to collect debugs and packet captures.
• Run this command for packet capture and try to connect to VPN. If you don't see any output, you need to check with your ISP and make sure they forward port 4433 to the FortiGate.
di sniffer packet any 'port 4433' 4 0 l
• Run the following commands for debugs and try to connect to the VPN:
di deb res
di deb app sslvpn -1
di deb app fnbamd 255
di deb console timestamp enable
di deb en
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.