Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
welma
New Contributor

Cannot connect to VPN from other sites.

Is there a setting that blocks users currently on site to connect to another SSLVPN FortiGate from another site?

Every time I go to this 3rd party location I can never connect to our own VPN. It gets stuck at 10% and says "Unable to establish the VPN connection. The VPN server may be unreachable." They are also using FortiGate.

If I disconnect from their network and connect to the phone hotspot I am able to login to VPN just fine.

Pinging the remote public IP of the remote FortiGate works fine.

VidMate
6 REPLIES 6
dbu
Staff
Staff

hi @welma , 

There is an option under SSL VPN settings to restrict access to specific hosts. 

Double check the FGT configuration under the SSL VPN setting > Restrict Access . 
What is the choosen option there allow all host or specify hosts ? If specified is the network of that site you are trying to access from included ? 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
mhemambika
Staff
Staff

Dear Welma,

 

 

Could you please check below:
1)Are you able to ping to FortiGate IP.

2)Are you able to telnet to SSL listening interface on ssl port.
3)If so, Please check if there are any restrictions in source address of ssl vpn settings.

4)Also check if there is any restrictions from source address for the given authentication rule/portal.

 

Hope this helps!

hbac
Staff
Staff

Hi @welma,

 

The FortiGate at the 3rd party location might only allow specific services such as HTTPS, DNS, and ICMP. Which port are you using to connect to the SSLVPN? 

 

Regards, 

ndumaj
Staff
Staff

Hello Welma,

It is obvious that there is a network restriction on this 3-rd party location network.
Pinging Fortigate public IP is not enough,
You need to test telnet to Fortigate Public IP/FQDN on VPN port, you can also try the SSL VPN Web mode if you are able to access it.

-BR-

- Happy to help, hit like and accept the solution -
Toshi_Esumi

Or just ask whoever manage the FGT at the 3rd party location if your SSL VPN port (like TCP 10443) access is prohibited/blocked.

 

Toshi

pavankr5
Staff
Staff

Hello @welma ,

 

The cause may vary depending on the percentage the negotiation stops at 10%.

  • The error may be 'Unable to establish the VPN connection. The VPN server may be unreachable'.
  • The issue is usually due to a network connection.
  • Check whether the PC is able to access the internet and reach the VPN server on the necessary port.
  • Check whether the correct remote Gateway and port are configured in FortiClient settings.
  • Confirm whether the server certificate has been selected in FortiGate SSL VPN settings.
  • Check firewall policy to make sure there is at least one policy with Incoming Interface as SSL VPN tunnel interface (ssl.root).


    let us know if you have any queries.

Thanks, 

Pavan

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors