Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ABE_63
New Contributor III

Created on ‎01-16-2024 10:18 AM

Can't connect to LAN when VPN connection is made over wireless access point.

I have tried to create a VPN connection from a device connected to a fortinet wireless AP to a device connected to another port on the Fortigate. I have managed to successfully get an IPSec VPN connection, but when connected, i can not ping the other device. Here are the current policies I have in place in an attempt to achieve this:

 

Outbound Policy (SSID to Internal):

  • Incoming Interface: SSID interface.
  • Outgoing Interface: Port 2 (internal network).
  • Source: SSID subnet. User: VPN_User_Group
  • Destination: Internal network subnet.
  • Action: Accept.
  • Service: All.

Inbound Policy (Internal to SSID):

  • Incoming Interface: Port 2 (internal network).
  • Outgoing Interface: SSID interface.
  • Source: Internal network subnet.
  • Destination: SSID subnet.
  • Action: Accept.
  • Service: All.

IPSec Policy (IPSec to Internal):

  • Incoming Interface: IPSec interface.
  • Outgoing Interface: Port 2 (internal network).
  • Source: Client address range subnet. User: VPN_User_Group
  • Destination: Internal network subnet.
  • Action: Accept.
  • Service: All.

When i try ping the internal network interface, i get "request timed out". I can only ping as far as the AP interface. There is the port interface that the AP connects to so my next step is to look at what policies may need to be applied using this interface. Any help is greatly appreciated.

Labels:
1570
0 Kudos
4 REPLIES 4
AEK
SuperUser
SuperUser

Created on ‎01-16-2024 11:20 AM

The following may help you in troubleshooting:

  • Check the routing table of the client once it is connected to VPN
  • Check the traffic logs on FGT to see if the packets are arriving from VPN client, and if they are accepted, and if there is a reply from the VPN server
AEK
AEK
1550
0 Kudos
LunarEcho
New Contributor II

Created on ‎01-16-2024 12:42 PM

Double-check your policies for the port interface the AP is connected to. Also, any chance there's a firewall on the AP itself causing the timeout?

1539
0 Kudos
hbac
Staff
Staff

Created on ‎01-17-2024 07:21 AM

Hi @ABE_63,

 

Please run debug flow to see if the traffic is being dropped. https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

 

Example (Replace x.x.x.x with destianation IP): 

di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr x.x.x.x
di deb flow filter proto 1
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable

 

Regards, 

1490
0 Kudos
mle2802
Staff
Staff

Created on ‎01-17-2024 07:37 AM

hi @ABE_63

Can you try to run a sniffer to see packet is flowing using the command diag sniffer packet any "host X.X.X.X and icmp" 4 0 l

Regards, 

1487
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.