Hello,
I have a corporate LAN/Wifi network and I have some users who need to connect to another site in company via SSL VPN (I can't do direct VPN with the other site). Within my corporate network they cannot make the connection, always gives the error: "Unable to establish VPN connection. The VPN server may be unreachable. (-14)". Stops at 80%.
Attempting to connect via an external network works without problems. Something is blocking the connection on my network but I still haven't figured it out, any idea how I can test the various hypotheses?
Fortigate 101E:
FortiOS v6.0.6 build0272
Forticlient: 6.2.2.0877
Thank you
Explain more clearly about relation between your "corporate network" and "another site", then which side has the FG101E ("another site"? If not how to get to "another site" from the 101E?). And what is the auth method for SSL VPN users?
Hello Toshi,
My site have the Fortigate 101E and another site have Fortigate 90D (I think). I am using my corporate network to connect through forticlient. Authentication/authorization for SSL VPN (port 443) is by LDAP server.
When I connect the forticlient he asks to authorize the certificate but then gives the error to 80%. My question is, my fortigate blocking any traffic or port? I am not using any particular block.
To have Internet in my fortigate (wan connection), I have a "home" ISP router with dynamic DNS.
But those SSL VPN attemps goes through your 101E to get to the 90D to be terminated at. Is the LDAP server you're talking about located at the "another site"? Your local 101E can't do much to contribute to the problem because SSL VPN traffic is just outgoing TCP 443 (unless you or somebody changed it on the 90D) like any internet browsing.
The problem must be on the 90D side. First, check "config vpn ssl settings" to see if multiple profiles are configured. Then you probably need to run "diag debug app sslvpn -1" on the 90D then compare between accessing from the internet and accessing from your office.
That artickle is rubbish for this error
-14 means most likely that user is in a group that does not have Tunnel access consigured for SSL Portal
the article isnt that bad on itself, but the title is confusing as error -14 pops up for so many things. the one you mentioned but also several others. best would be if the developers dont add the text, but just use -14 generic error, because that is what it is.
for that article you could reach out to he documentation team and ask them to add some lines.
I had the same exact issue. Internal client can connect to remote Fortigate from an un-secured WiFi but could not connect from behind my Fortigate 60F. My scenario is as follows:
my fortigate - 60F running fortiOS 6.2.3
my internal client - Windows 10 running forticlient 6.2.6.0951
end point fortigate - 300E running fortiOS 6.2.3
temporary solution was to disable SSL inspection on my end. now i'm going to work on a permanent solution with the remote network admin.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.