Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
andribenjul
New Contributor

Can not establish SSL VPN connection using fortiddns

I have followed the tutorial at the following link https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-DDNS-for-SSL-VPN/ta-p/194137, but still cannot connect SSL VPN using DDNS.
I have followed all the exact same methods, but the error Unable to establish the VPN connection still appears. The VPN server may be unreachable.

Please give me advice, thank you.

Untitled.png

 

10 REPLIES 10
bpozdena_FTNT

There is not enough of visible details to give any specific answer. But just based on what can be seen on the DDNS screenshot, the IP address ends with "...87", while based on the SSL VPN settings screenshot, WAN2 is configured with IP address 192.168.1.3.

 

Make sure the DNS record resolves into the correct IP address and that the IP address is reachable from the client.

HTH,
Boris
andribenjul

My isp does not provide a public ip, so I use dhcp on wan2 and get ip 192.168.1.2.
On dns I create dynamic dns, enable use ip public, and I get ip 180.244.161.87.
I have also tried disabling use ip public, but still cannot connect ssl vpn using ddns.
In firewall policy I set SSL TUNNEL to internal interface, on the source I select SSLVPN_TUNNEL, vpn user, and vpn group, and the destination I select internal group.
I have also tried in the source section I select all and vpn group.
I attach screenshots below, please let me know if there are screenshots of my config that you want to see in more detail.forticlientforticlientpolicypolicyddnsddnsdnsdnsinterfaceinterface

bpozdena_FTNT

You will need to contact your IPS to make the Fortigate routable from the Internet. Either purchase a public IP or ask your ISP to DNAT the traffic to your Fortigate.

HTH,
Boris
sjoshi
Staff
Staff

Dear andribenjul,

 

Please share below op during the time of issue.

PuTTY SSH1:
------------

get vpn ssl monitor
diagnose vpn ssl list
diagnose firewall auth list
dia vpn ssl statistics
exec vpn sslvpn list
get system status
diag vpn ssl stat


PuTTY SSH2:
------------

diag sys flash list
diag debug reset
diagnose debug console timestamp en
diagnose vpn ssl debug-filter src-addr4 x.x.x.x - Here x.x.x.x is the public IP of the user connecting.
diag debug appl sslvpn -1
diag debug appl fn -1
diag debug enable

wait till the VPN disconnect, disable the logs by executing

diag debug disable
diag debug reset

Let us know if this helps.
Salon Raj Joshi
andribenjul
New Contributor

hbac

Hi @andribenjul,

 

Your domain name doesn't resolve to the correct IP. It should resolve to your public IP address, not private IP. You can open a ticket with TAC to reset the DNS record because right now, it is tied to 192.168.1.3. 

 

ping.PNG

 

Regards, 

andribenjul
New Contributor

HI @hbac thanks for the reply, it's cause i was disable "Use IP Public" at DDNS configuration.

Then i have enable it, and now it's resolve to Public IP but the ping still has request time out.

FYI, i can do IPsec site to site with this DDNS, it works normally.

site to sitesite to sitepingping

pbangari

Hi,

Please take debug using below commands and share it here for checking:

 

diag debug reset
diagnose vpn ssl debug-filter src-addr4 x.x.x.x - Here x.x.x.x is the public IP of the user connecting.
diag debug appl sslvpn -1
diag debug appl fnbamd -1
diag debug enable

wait till the VPN disconnect, disable the logs by executing

diag debug disable
diag debug reset

hbac

Hi @andribenjul.,

 

Now that it is resolving correctly, you can go ahead to collect debugs and packet captures. 

• Run this command for packet capture and try to connect to VPN. If you don't see any output, you need to check with your ISP and make sure they forward port 4433 to the FortiGate. 

di sniffer packet any 'port 4433' 4 0 l 

• Run the following commands for debugs and try to connect to the VPN:

di deb res 

di deb app sslvpn -1 

di deb app fnbamd 255

di deb console timestamp enable

di deb en 

 

Regards,

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors