- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiClient cannot connect to SSL VPN on FGT: iprope_in_check() check failed on policy 0, drop
I have configured SSL VPN on one of my FGTs using GUI, the same way as it was configured on another one (the idea is to move some business critical services from one office to another). Then I have discovered that FortiClient can't connect because of a connection timeout. Further debugging with packet sniffer has revealed that only SYN packets are coming from client, nothing goes back. The next step was the flow debugger:
MyFGT # 2025-01-09 16:58:51 id=20085 trace_id=195 func=print_pkt_detail line=4489 msg="vd-root received a packet(proto=6, my.client.ip.address:51567->my.fgt.ip.addresss:10443) from wan1. flag [S], seq 1184327228, ack 0, win 65535"
2025-01-09 16:58:51 id=20085 trace_id=195 func=init_ip_session_common line=4645 msg="allocate a new session-000fdb96"
2025-01-09 16:58:51 id=20085 trace_id=195 func=fw_local_in_handler line=398 msg="iprope_in_check() check failed on policy 0, drop"
I have read a dozen of pages on the internet, in Fortinet knowledge base and in this forum, also tried to use ChatGPT as a consultant to find a solution, but so far I am where I was -- the connection is beign dropped by the policy 0. Also, I have gathered the following relevant information pieces:
- SSL VPN is set to use custom port and the client tries to connect on the same port.
- SSL VPN uses interface "wan1" and this interface is set to the correct external IP address.
- SSL VPN configuration ist set to use port 10443 and the source-interface "wan1"
- The only local-in-policy present is the one I have created to explicitly allow connection to SSL VPN (obviously this didn't work)
- "diag sys tcpsock | grep 10443" shows empty result -- but I'm not sure that it should display anything if there is yet no connection.
- I don't find any traffic policy that would drop anything SSL/HTTPS-Like, for 10443 or anything with destination interface of wan1.
My understanding is that the policy 0 is the default "drop everything if not matched on any other policies" policy and that configuring SSL VPN would create kind of implicit policy to allow this local-in-connection. And that somehow this either is not working this way at all or something stands in between.
I'm dealing with this for several days already. Please, help.
Other relevant information pieces:
FortiClient: ver. 7.0.8.0308
Fortigate (yes, pretty old): FortiWiFi 60CX-ADSL-A with FortiOS v5.2.15
Solved! Go to Solution.
- Labels:
-
Firewall policy
-
FortiGate
-
SSL-VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please click on source, and along with the SSLVPN Tunnel Addr please add your VPN group.
For CLI:
config firewall policy
edit 1
set name "sslvpn tunnel mode access"
set srcintf "ssl.root"
set dstintf "lan"
set srcaddr "SSLVPN_TUNNEL_ADDR_1"
set dstaddr "all"
set groups "sslvpngroup" <-------- Your VPN Group
set action accept
set schedule "always"
set service "ALL"
next
Verify and update the thread if the error is still there.
- « Previous
-
- 1
- 2
- Next »
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now it works, thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check if the traffic incoming interface is same as your outgoing interface.
- « Previous
-
- 1
- 2
- Next »
