Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Alex2000
New Contributor III

Ensuring VPN redundancy

I have 2 VPN servers. I configure them in the list when setting up the VPN client. If the first server is unavailable, the client does not connect to the second server. Am I doing something wrong?

image.png

1 Solution
Alex2000
New Contributor III

7.0.7 it is work !!!!!

 

new version bug !

View solution in original post

17 REPLIES 17
funkylicious
SuperUser
SuperUser

Hi,

I assume that each DNS entry resolves in a different IP ?

If so, on the FGT itself do you have two static routes for 0.0.0.0/0 or a sdwan config ?

 

L.E. under ssl vpn settings, you have both IPs listed under listening on interface ?

"jack of all trades, master of none"
"jack of all trades, master of none"
Alex2000

made up addresses, for example. But in my case, yes - these are 2 different fortigates. They both work if you use them by swapping them in the list. But if I turn off the first one in the list, the client does not try to connect to the second one in the same list

funkylicious
SuperUser
SuperUser

hmm, not sure about multiple remote gateways from different devices how and if it would/should work, only multiple links on the same device.

"jack of all trades, master of none"
"jack of all trades, master of none"
Alex2000

After all, the manufacturer has made it possible to add multiple VPN connections. Why are they needed then?

funkylicious
SuperUser
SuperUser

for this scenario i guess

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-SSL-VPN-Access-for-two-diffe...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-Redundancy/ta-p/189668?externalID=...


what you are trying to do in your case might work and maybe something else is not working/configured as it should on both devices

"jack of all trades, master of none"
"jack of all trades, master of none"
Alex2000

Apparently you do not understand the essence of the question. Everything is fine between the two fortigates. The client does not attempt to connect to the second one if there is no connection with the first Fortigate. I have 2 different Fortigates in different country data centers

funkylicious

Most likely I've misunderstood your issue since you mentioned 2 FGTs.

So, if I understand correctly both DNS entries are different links on the same device and you have 2 such devices with similar issues and when the first configured remote gw configured in FCT is shutdown or disabled, the 2nd remote gw is not being selected/used, is that correct ?

If so, is the sslvpn portal available, can it be reached/accessed for the 2nd one when the first is unavalable ?

You can also have a look at this, if its not already enabled https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enabling-the-preserve-session-route/ta-p/1...

"jack of all trades, master of none"
"jack of all trades, master of none"
hbac
Staff
Staff

Hi @Alex2000,

 

I tested in my lab and it worked. Are you able to resolve the second FQDN from the client? Can you run packet sniffer on the second FortiGate to see if it receives the traffic or not. 

 

di sniffer packet any 'port 10443' 4 0 l

 

Regards, 

Alex2000
New Contributor III


I can use IP addresses instead of DNS, this is not a problem.

 

Untitled.jpg

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors