Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- First IP on SSL-VPN has no network access
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First IP on SSL-VPN has no network access
Hi,
we use SSL-VPN with FortiClient via Entra ID SAML. We have 3 Entra groups for accessing SSL-VPN. The IP range for all clients on SSL-VPN is 192.168.15.1 - 192.168.15.254.
Strangely, when a clients gets the assigned the IP 192.168.15.1, FortiClient connects but there's no network access. Bytes sent / received in FortiClient is only a few kbytes. When I view the logs, I see that the Client mostly only does DNS / LDAP requests to our domain controller. But no SMB to our fileserver or whatsoever. When I try to run ICMP to the domain controller, I get a timeout. Wierdly enough, under forward logs I see "PING ACCEPT (240B / 240B) - so from FGT's perspective, it replies to the ICMP request done by 192.168.15.1.
I also ran Wireshark on the client and there it gets eaven crazier. When I monitor the SSL-VPN interface, I only see the ICMP reply from the domain controller to the client but not the ICMP request leaving through the SSL-VPN interface.
This happend on multiple devices but not on all of them, always when the .1 was assigned. That address is not used anywhere else on the network. I also checked FGT's FIB, the address is not in conflict. As a workaround, I set the assigning IP range starting from 192.168.15.2. But what could possibly be the culprit here? It might be a local problem but I already checked IP conflicts via "route print" and "Get-NetIPAddress" but the IP always was unique to the Fortinet SSL VPN Adapter.
Labels:
- Labels:
-
FortiClient
-
FortiGate
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
is the same range also set in the sslvpn portals ( source ip pools ) / firewall rules / sslvpn settings ( tunnel mode client settings > address range / automatically assign addresses ) ? maybe a typo was made in a object that is used.
as for the routing table, when a computer is assigned that IP can you see it with the command, get router info kernel | grep 192.168.15. as part of any block ?
"jack of all trades, master of none"
"jack of all trades, master of none"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep, double checked all address objects, on FGT it's all set correctly. On some clients, it is actually working even when the user is in the same SSLVPN Entra Group and gets assigned the .1. That's why I think that this isn't a configuration issue. According to FIB, the IP is bound / routed to the SSLVPN interface.
So based on these observations, I really think this is a local problem on some clients. Are there any tools, maybe even from Fortinet to debug this?
Created on 02-18-2025 04:55 AM Edited on 02-18-2025 04:57 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
are the users part of the same Entra Group as those that in the past were assigned the .1 IP and didnt work ?
also, are you using realms/portals to separate the connection for each group or you just created a single realm, the default / , same portal and different user groups were created which reference the saml server and a different object id / group in it ?
"jack of all trades, master of none"
"jack of all trades, master of none"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, these users are in the same Entra Group. Maybe this makes it clearer:
- Client A, Entra Group 3, 192.168.15.1 > Doesn't work
- Client B, Entra Group 3, 192.168.15.1 > Works
- Client C, Entra Group 2, 192.168.15.1 > Works
- Client A, Entra Group 1, 192.168.15.1 > Doesn't work
- Client A, Entra Group 2, 192.168.15.1 > Doesn't work
As said before, it somehow boils down to the individual clients itself.
We use a single portal for Entra Auth for all clients and distinguish user access by one of the 3 Entra security groups
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I checked all local interfaces for conflicting IPs but there are none. Local Ethernet and WiFi adapters are getting leases from another range.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What version of FortiClient and FortiOS are you using? We're getting the same issue-with the first IP in the range.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are running FOS 7.2.11 with multiple versions of FortiClient from 7.0.7 - 7.4.3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. Same for us. We've raised it to FortiNet TAC to investigate
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Was this issue ever resolved? We seem to have the same issue
Labels
-
FortiGate
10,482 -
FortiClient
2,127 -
FortiManager
882 -
5.2
687 -
FortiAnalyzer
672 -
5.4
638 -
FortiSwitch
575 -
FortiAP
557 -
FortiClient EMS
551 -
6.0
416 -
IPsec
403 -
FortiMail
371 -
SSL-VPN
370 -
5.6
362 -
FortiNAC
277 -
6.2
251 -
FortiWeb
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
190 -
FortiAuthenticator
168 -
FortiGuard
159 -
5.0
152 -
Firewall policy
141 -
6.4
128 -
FortiGate-VM
123 -
FortiCloud Products
116 -
FortiGateCloud
112 -
FortiSIEM
111 -
FortiToken
110 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
72 -
DNS
71 -
SAML
70 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
65 -
Authentication
64 -
Certificate
61 -
RADIUS
58 -
LDAP
57 -
SSO
54 -
FortiSandbox
53 -
FortiLink
53 -
FortiExtender
51 -
NAT
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
42 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
SNMP
25 -
SSID
25 -
Static route
25 -
Traffic shaping
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
Fortigate Cloud
23 -
API
23 -
System settings
22 -
OSPF
20 -
Security profile
20 -
WAN optimization
20 -
FortiMonitor
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSOAR
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
FortiRecorder
11 -
Users
11 -
Port policy
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
Authentication rule and scheme
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2522 | |
| 1347 | |
| 794 | |
| 639 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.