Computers or Devices behind FortiClient VPN not accessible from the LAN network
I am newbie in Fortigate firewall and FortiClient VPN, I have been struggling with this issue for past 3 months, I hope you will help me resolve this issue. We are using Forticlient vpn to connect into the company LAN network to access resources and that is working fine but we cannot connect to any computer or device from the LAN network into our laptops, anything from the LAN behind the Forticlient is not accessible I cannot even PING the IP/hostname addresses on the Local laptops?
How can I establish a connection or communication from the LAN into our laptops or printers behind the FortiClient VPN?
I am using FortiGate 40F V 7.2.5 build 1517 and FortiClient VPN 7.0.8.0427 on windows 10 and Windows server 2019 operating systems.
The FortiGate firewall might not have rules that allow incoming connections to the VPN clients. Check Network Address Translation (NAT) settings could be affecting the routing. If you're using split tunneling, only traffic destined for the company's LAN will go through the VPN tunnel. The VPN policy might be set up in a way that only allows one-way traffic.
Steps to troubleshoot:
Check Firewall Policies.
Check NAT Configuration.
If you're using split tunneling, try disabling it temporarily to see if that resolves the issue.
Check the routing tables to make sure that the LAN knows how to route traffic to the VPN network.
Make sure the Local LAN and Remote LAN are properly set, and the policy allows traffic in both directions.
Please make sure you have a firewall policy to allow traffic from lan interface to ssl.root interface. That is the first thing you need to check. If it's already there, please run a debug flow as follows: (replace x.x.x.x with source and destination IP).
di deb disable di deb res diagnose debug flow filter clear di deb flow filter saddr x.x.x.x <<< Source IP di deb flow filter daddr x.x.x.x <<< Destination IP diagnose debug flow show function-name enable di deb flow show iprope en diagnose debug console timestamp enable diagnose debug flow trace start 500 diagnose debug enable
Hi @Abel, Can you try to ping from LAN PC to FortiClient device and run the followig command on FortiGate:
di deb res di deb flow filter addr x.x.x.x (FortiClient assigned IP) di deb flow filter proto 1 diagnose debug flow show function-name enable di deb flow show iprope en diagnose debug console timestamp enable diagnose debug flow trace start 500 diagnose debug enable
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.