Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rreimche
New Contributor

Created on ‎01-10-2025 09:14 AM Edited on ‎01-10-2025 09:17 AM

FortiClient cannot connect to SSL VPN on FGT: iprope_in_check() check failed on policy 0, drop

I have configured SSL VPN on one of my FGTs using GUI, the same way as it was configured on another one (the idea is to move some business critical services from one office to another). Then I have discovered that FortiClient can't connect because of a connection timeout. Further debugging with packet sniffer has revealed that only SYN packets are coming from client, nothing goes back. The next step was the flow debugger:

MyFGT # 2025-01-09 16:58:51 id=20085 trace_id=195 func=print_pkt_detail line=4489 msg="vd-root received a packet(proto=6, my.client.ip.address:51567->my.fgt.ip.addresss:10443) from wan1. flag [S], seq 1184327228, ack 0, win 65535"

2025-01-09 16:58:51 id=20085 trace_id=195 func=init_ip_session_common line=4645 msg="allocate a new session-000fdb96"

2025-01-09 16:58:51 id=20085 trace_id=195 func=fw_local_in_handler line=398 msg="iprope_in_check() check failed on policy 0, drop"

I have read a dozen of pages on the internet, in Fortinet knowledge base and in this forum, also tried to use ChatGPT  as a consultant to find a solution, but so far I am where I was -- the connection is beign dropped by the policy 0. Also, I have gathered the following relevant information pieces:

- SSL VPN is set to use custom port and the client tries to connect on the same port.
- SSL VPN uses interface "wan1" and this interface is set to the correct external IP address.

- SSL VPN configuration ist set to use port 10443 and the source-interface "wan1"

- The only local-in-policy present is the one I have created to explicitly allow connection to SSL VPN (obviously this didn't work)

- "diag sys tcpsock | grep 10443" shows empty result -- but I'm not sure that it should display anything if there is yet no connection.

- I don't find any traffic policy that would drop anything SSL/HTTPS-Like, for 10443 or anything with destination interface of wan1.

My understanding is that the policy 0 is the default "drop everything if not matched on any other policies" policy and that configuring SSL VPN would create kind of implicit policy to allow this local-in-connection. And that somehow this either is not working this way at all or something stands in between.

I'm dealing with this for several days already. Please, help.

Other relevant information pieces:
FortiClient: ver. 7.0.8.0308
Fortigate (yes, pretty old): FortiWiFi 60CX-ADSL-A with FortiOS v5.2.15

 




269
0 Kudos
1 Solution
maulishshah
Staff
Staff
In response to rreimche

Created on ‎03-26-2025 10:26 AM

Can you please click on source, and along with the SSLVPN Tunnel Addr please add your VPN group. 

 

For CLI: 

config firewall policy 
    edit 1
        set name "sslvpn tunnel mode access"
        set srcintf "ssl.root"
        set dstintf "lan"
        set srcaddr "SSLVPN_TUNNEL_ADDR_1"
        set dstaddr "all"
        set groups "sslvpngroup" <-------- Your VPN Group
        set action accept
        set schedule "always"
        set service "ALL"
    next

 

Verify and update the thread if the error is still there. 

Maulish Shah

View solution in original post

19
0 Kudos
10 REPLIES 10
kaman
Staff
Staff

Created on ‎01-19-2025 04:07 AM Edited on ‎01-19-2025 05:08 AM

Hi rreimche,

Could you please confirm whether the FortiGate NGFW mode is set to Policy-based or Profile-based? You can find this information under System > Settings > View Settings.


In policy-based NGFW mode, it is necessary to have an SSL inspection policy under Policy & Objects -> SSL Inspection & Authentication for the SSL VPN traffic.


Without this policy, the sslvpnd will not start.


Please refer to the below document for more information:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-is-not-working-when-FortiGate-is-o...


If it is profile-based, you can refer to the following document for the reasons behind the 'iprope_in_check() failed' error in SSL VPN.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Reasons-for-the-iprope-in-check-failed-err...


If you have found a solution, please like and accept it to make it easily accessible to others.


Regards,
Aman

256
rreimche
New Contributor
In response to kaman

Created on ‎03-21-2025 03:16 AM

Thank you for your reply, kaman. I have tried to find this setting, but had no luck:

- System / Settings is absent. Instead I have found System / Config / Features. I cannot find anything about NGFW there. 

- I tried to find to find "set inspection mode" in "config system settings" section in configuration -- it is absent

- I tried to find "set ngfw-mode" in settings -- it is nowhere to be found, I have search the whole configuration backup.
- When searching for "set inspection-mode" in the whole configuration backup I have found the following entries:

1. config web filter profile > edit "web-filter-flow" > set inspection-mode flow-based
2. config web filter profile > edit "flow-monitor-all" > set inspection-mode flow-based
3. config antivirus profile > edit "default" > set inspection-mode proxy
- when searching the whole config backup for "flow-based" -- the same first two entries in "config web filter profile"

- when searching for the whole config backup for one of:  "policy-based", "profile-based" -- no results

 

(I have taken the settings and their values from https://community.fortinet.com/t5/FortiGate/Technical-Tip-Changing-the-inspection-mode-of-the-firewa...)

140
0 Kudos
rreimche
New Contributor
In response to rreimche

Created on ‎03-21-2025 03:17 AM

This is what I have in System/Config/Features: 

Bildschirmfoto 2025-03-21 um 11.11.27.png

137
0 Kudos
maulishshah
Staff
Staff
In response to rreimche

Created on ‎03-21-2025 05:41 AM

Can you please share your SSLVPN firewall policy to confirm the configuration?

 

The source interface should selected as SSLVPN, and the Outgoing interface would be your internal or external. 

 

Please confirm the Central NAT is enabled, if yes you have to create a separate policy for SSL/SSH inspection. 

 

 

Maulish Shah
123
rreimche
New Contributor
In response to maulishshah

Created on ‎03-24-2025 07:59 AM

Hello maulishshah,

 

On the screenshot above we can see "Central NAT Table" deactivated. I guess this means that Central NAT is not active. The policies can be seen on the screenshot below.

 

 

Bildschirmfoto 2025-03-24 um 15.57.06.pngBildschirmfoto 2025-03-24 um 15.54.32.png



100
0 Kudos
maulishshah
Staff
Staff
In response to rreimche

Created on ‎03-24-2025 10:08 AM

Thank you for the screenshot, can you please confirm why the groups are not selected in the firewall policy?

 

 

Maulish Shah
83
rreimche
New Contributor
In response to maulishshah

Created on ‎03-25-2025 06:18 AM

what do you mean by "groups are not selected"?

62
0 Kudos
rreimche
New Contributor
In response to maulishshah

Created on ‎03-26-2025 06:52 AM

Also when I open the policy configuration, I do not see anything about groups:

 

Bildschirmfoto 2025-03-26 um 14.50.35.png

39
0 Kudos
maulishshah
Staff
Staff
In response to rreimche

Created on ‎03-26-2025 10:26 AM

Can you please click on source, and along with the SSLVPN Tunnel Addr please add your VPN group. 

 

For CLI: 

config firewall policy 
    edit 1
        set name "sslvpn tunnel mode access"
        set srcintf "ssl.root"
        set dstintf "lan"
        set srcaddr "SSLVPN_TUNNEL_ADDR_1"
        set dstaddr "all"
        set groups "sslvpngroup" <-------- Your VPN Group
        set action accept
        set schedule "always"
        set service "ALL"
    next

 

Verify and update the thread if the error is still there. 

Maulish Shah
20
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.