- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Can't ping VLAN interfaces through VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can't ping VLAN interfaces through VPN
Hello - I have 5 vlans configured on my FGT 60F. I am using SSL VPN. I have left the internal physical IP at 192.168.1.99. My VLAN interfaces are 10.235.20.1, ...30.1, ...40.1, ...60.1 and ...100.1.
I created a policy for inter-vlan routing. When I connect directly to my FGT, I can ping all VLAN interfaces and the physical interface. All good.
When I connect with Forticlient, I can ping the internal 192.168.1.99 phyiscal IP but I cannot ping any of the VLAN interfaces. I have nothing connected to the VLANs but I would have assumed I'd be able to ping the interfaces, especially since it's successful when I'm directly connected to the FGT. See below. Any thoughts?
Thanks,
Joel
Labels:
- Labels:
-
Firewall policy
-
FortiClient
-
FortiGate
-
VLAN
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jnapier4
Please enter the following commands in FG CLI, then try ping the VLAN interface from VPN client.
diag debug flow filter addr <VPN-Client-IP>
diag debug flow filter proto 1
diag debug flow show function-name enable
diag debug flow show iprope enable
diag debug console timestamp enable
diag debug flow trace start 10
diag debug enable
Please share the output once done.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here you go...
FortiGate-60F # 2024-04-27 12:39:57 id=20085 trace_id=1 func=print_pkt_detail line=5822 msg="vd-root:0 received a packet(proto=1, 172.16.0.50:1->10.235.30.1:2048) from ssl.root. type=8, code=0, id=1, seq=24."
2024-04-27 12:39:57 id=20085 trace_id=1 func=init_ip_session_common line=5993 msg="allocate a new session-0001e67c"
2024-04-27 12:39:57 id=20085 trace_id=1 func=iprope_dnat_check line=5121 msg="in-[ssl.root], out-[]"
2024-04-27 12:39:57 id=20085 trace_id=1 func=iprope_dnat_tree_check line=823 msg="len=0"
2024-04-27 12:39:57 id=20085 trace_id=1 func=iprope_dnat_check line=5134 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-04-27 12:39:57 id=20085 trace_id=1 func=vf_ip_route_input_common line=2615 msg="find a route: flag=84000000 gw-10.235.30.1 via root"
2024-04-27 12:39:57 id=20085 trace_id=1 func=iprope_fwd_check line=765 msg="in-[ssl.root], out-[VLAN30], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
2024-04-27 12:39:57 id=20085 trace_id=1 func=__iprope_tree_check line=557 msg="gnum-100004, use addr/intf hash, len=2"
2024-04-27 12:39:57 id=20085 trace_id=1 func=__iprope_check_one_policy line=1960 msg="checked gnum-100004 policy-3, ret-no-match, act-accept"
2024-04-27 12:39:57 id=20085 trace_id=1 func=__iprope_check_one_policy line=1960 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
2024-04-27 12:39:57 id=20085 trace_id=1 func=__iprope_user_identity_check line=1777 msg="ret-matched"
2024-04-27 12:39:57 id=20085 trace_id=1 func=__iprope_check_one_policy line=2174 msg="policy-0 is matched, act-drop"
2024-04-27 12:39:57 id=20085 trace_id=1 func=iprope_fwd_check line=806 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
2024-04-27 12:39:57 id=20085 trace_id=1 func=fw_local_in_handler line=447 msg="iprope_in_check() check failed on policy 0, drop"
2024-04-27 12:40:02 id=20085 trace_id=2 func=print_pkt_detail line=5822 msg="vd-root:0 received a packet(proto=1, 172.16.0.50:1->10.235.30.1:2048) from ssl.root. type=8, code=0, id=1, seq=25."
2024-04-27 12:40:02 id=20085 trace_id=2 func=init_ip_session_common line=5993 msg="allocate a new session-0001e696"
2024-04-27 12:40:02 id=20085 trace_id=2 func=iprope_dnat_check line=5121 msg="in-[ssl.root], out-[]"
2024-04-27 12:40:02 id=20085 trace_id=2 func=iprope_dnat_tree_check line=823 msg="len=0"
2024-04-27 12:40:02 id=20085 trace_id=2 func=iprope_dnat_check line=5134 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-04-27 12:40:02 id=20085 trace_id=2 func=vf_ip_route_input_common line=2615 msg="find a route: flag=84000000 gw-10.235.30.1 via root"
2024-04-27 12:40:02 id=20085 trace_id=2 func=iprope_fwd_check line=765 msg="in-[ssl.root], out-[VLAN30], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
2024-04-27 12:40:02 id=20085 trace_id=2 func=__iprope_tree_check line=557 msg="gnum-100004, use addr/intf hash, len=2"
2024-04-27 12:40:02 id=20085 trace_id=2 func=__iprope_check_one_policy line=1960 msg="checked gnum-100004 policy-3, ret-no-match, act-accept"
2024-04-27 12:40:02 id=20085 trace_id=2 func=__iprope_check_one_policy line=1960 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
2024-04-27 12:40:02 id=20085 trace_id=2 func=__iprope_user_identity_check line=1777 msg="ret-matched"
2024-04-27 12:40:02 id=20085 trace_id=2 func=__iprope_check_one_policy line=2174 msg="policy-0 is matched, act-drop"
2024-04-27 12:40:02 id=20085 trace_id=2 func=iprope_fwd_check line=806 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
2024-04-27 12:40:02 id=20085 trace_id=2 func=fw_local_in_handler line=447 msg="iprope_in_check() check failed on policy 0, drop"
2024-04-27 12:40:07 id=20085 trace_id=3 func=print_pkt_detail line=5822 msg="vd-root:0 received a packet(proto=1, 172.16.0.50:1->10.235.30.1:2048) from ssl.root. type=8, code=0, id=1, seq=26."
2024-04-27 12:40:07 id=20085 trace_id=3 func=init_ip_session_common line=5993 msg="allocate a new session-0001e6af"
2024-04-27 12:40:07 id=20085 trace_id=3 func=iprope_dnat_check line=5121 msg="in-[ssl.root], out-[]"
2024-04-27 12:40:07 id=20085 trace_id=3 func=iprope_dnat_tree_check line=823 msg="len=0"
2024-04-27 12:40:07 id=20085 trace_id=3 func=iprope_dnat_check line=5134 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-04-27 12:40:07 id=20085 trace_id=3 func=vf_ip_route_input_common line=2615 msg="find a route: flag=84000000 gw-10.235.30.1 via root"
2024-04-27 12:40:07 id=20085 trace_id=3 func=iprope_fwd_check line=765 msg="in-[ssl.root], out-[VLAN30], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
2024-04-27 12:40:07 id=20085 trace_id=3 func=__iprope_tree_check line=557 msg="gnum-100004, use addr/intf hash, len=2"
2024-04-27 12:40:07 id=20085 trace_id=3 func=__iprope_check_one_policy line=1960 msg="checked gnum-100004 policy-3, ret-no-match, act-accept"
2024-04-27 12:40:07 id=20085 trace_id=3 func=__iprope_check_one_policy line=1960 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
2024-04-27 12:40:07 id=20085 trace_id=3 func=__iprope_user_identity_check line=1777 msg="ret-matched"
2024-04-27 12:40:07 id=20085 trace_id=3 func=__iprope_check_one_policy line=2174 msg="policy-0 is matched, act-drop"
2024-04-27 12:40:07 id=20085 trace_id=3 func=iprope_fwd_check line=806 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
2024-04-27 12:40:07 id=20085 trace_id=3 func=fw_local_in_handler line=447 msg="iprope_in_check() check failed on policy 0, drop"
2024-04-27 12:40:12 id=20085 trace_id=4 func=print_pkt_detail line=5822 msg="vd-root:0 received a packet(proto=1, 172.16.0.50:1->10.235.30.1:2048) from ssl.root. type=8, code=0, id=1, seq=27."
2024-04-27 12:40:12 id=20085 trace_id=4 func=init_ip_session_common line=5993 msg="allocate a new session-0001e6c8"
2024-04-27 12:40:12 id=20085 trace_id=4 func=iprope_dnat_check line=5121 msg="in-[ssl.root], out-[]"
2024-04-27 12:40:12 id=20085 trace_id=4 func=iprope_dnat_tree_check line=823 msg="len=0"
2024-04-27 12:40:12 id=20085 trace_id=4 func=iprope_dnat_check line=5134 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-04-27 12:40:12 id=20085 trace_id=4 func=vf_ip_route_input_common line=2615 msg="find a route: flag=84000000 gw-10.235.30.1 via root"
2024-04-27 12:40:12 id=20085 trace_id=4 func=iprope_fwd_check line=765 msg="in-[ssl.root], out-[VLAN30], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
2024-04-27 12:40:12 id=20085 trace_id=4 func=__iprope_tree_check line=557 msg="gnum-100004, use addr/intf hash, len=2"
2024-04-27 12:40:12 id=20085 trace_id=4 func=__iprope_check_one_policy line=1960 msg="checked gnum-100004 policy-3, ret-no-match, act-accept"
2024-04-27 12:40:12 id=20085 trace_id=4 func=__iprope_check_one_policy line=1960 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
2024-04-27 12:40:12 id=20085 trace_id=4 func=__iprope_user_identity_check line=1777 msg="ret-matched"
2024-04-27 12:40:12 id=20085 trace_id=4 func=__iprope_check_one_policy line=2174 msg="policy-0 is matched, act-drop"
2024-04-27 12:40:12 id=20085 trace_id=4 func=iprope_fwd_check line=806 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
2024-04-27 12:40:12 id=20085 trace_id=4 func=fw_local_in_handler line=447 msg="iprope_in_check() check failed on policy 0, drop"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The logs said policy-0 is matched, it means your configured policy didn't match the traffic.
- Please share the SSLVPN_TUNNEL_ADDR1 and "VLAN30 address" objects values
- Make sure the user you are connected with is in group RemoteUsers
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, what is the destination interface in your policy? It must be VLAN30 otherwise it will not match the traffic.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try disabling offloading in the policy and try to collect logs,
also sniffer will be helpful to see where traffic is going out
Security all we want
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello jnapier4,
The firewall policy that you need is from source interface ssl.root to destination interface VLAN30.
Related Posts
- VLANS are not functioning in my... 76 Views
- Options to pass a VLAN through... 50 Views
- Implementing FGSP with OSPF ECMP based... 78 Views
- Fortilink-Passive Firewall Fiber Interface Seen Down 100 Views
- L2 Traffic Forwarding 106 Views
Labels
-
FortiGate
6,666 -
FortiClient
1,328 -
5.2
801 -
5.4
639 -
FortiManager
577 -
FortiAnalyzer
421 -
6.0
416 -
5.6
362 -
FortiSwitch
342 -
FortiAP
339 -
FortiClient EMS
271 -
FortiMail
254 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
158 -
6.4
128 -
FortiNAC
109 -
FortiGuard
106 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
77 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
29 -
SD-WAN
29 -
High Availability
24 -
FortiConnect
24 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
19 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
Logging
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
LDAP
11 -
fortilink
10 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SSO
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.