Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TechAccounts
New Contributor

Fortigate 7.0.11 SSLVPN Policies Flapping

For lack of a better term, the SSL VPN policies are flapping.  Sometimes they work and a users AD Group membership determines that they can access a certain website that is normally blocked.  Then at a later time, or after a restart and zero changes to the firewall or their AD membership, they lose access to that site.  Is anyone else experiencing this issue?  

6 REPLIES 6
Kangming
Staff
Staff

Hi

Could you please provide a more detailed description? What kind of policy? Do you enable UTM? What specific functions cannot be used normally? Is there a specific URL(web filter)? Can the operation steps be reproduced stably? Can you provide some more information for us to reproduce it in the lab, thank you.

Thanks

Kangming

kvimaladevi
Staff
Staff

Hi  TechAccounts,

 

When the issue happens, is the user traffic hitting the policy where the AD group is called?

 

Regards,

Vimala

TechAccounts
New Contributor

Here's some more info on the firewall policies.  We have four policies that I'm currently looking at with the same issue.  One for access to dropbox.com services, box.com, egnyte.com and instagram.com, they're all setup in a similar fashion with access being determined by an AD group.  The rules are using a web filter and app control that are set to allow that service specifically.

NameFromToSourceDestinationScheduleServiceActionNATSecurity Profile
Dropbox.com Access - VPNSSL-VPN tunnel interfaceOutsideDropbox.com access | allDropbox-DNS, etc.AlwaysInternet ServiceAcceptEnabledWeb Filter, App Control

 

I'm able to reporduce this throughout the day on a test laptop; I'll try in the morning and it may not work, then try after lunch and it'll suddenly start working.  I have a test domain user with access to each of the AD groups (dropbox, egnyte, etc).  What I've noticed is the Authentication Server flips between our Forticlient FSSO VM ('SrvFortiClient') and our Duo-Radius server.  Is there a way to always look to our SrvFortiClient when applying these policies, from what I've seen in the logs, when it hits SrvFortiClient, it applies the correct policy and gives the correct access.

TechAccounts
New Contributor

I'm still wondering if there's a way to always look at our SrvFortiClient (FSSO) server to apply rules over VPN.  is that even possible?

RicardoAri
New Contributor

The issue you are encountering with the SSL VPN policies and the inconsistent behavior of user access to certain websites can be attributed to various factors within the network infrastructure. Flapping of VPN policies often indicates underlying problems with routing, load balancing, or configuration synchronization. It is possible that there are conflicts in the firewall rules or routing tables that result in intermittent access for users. 

TechAccounts

Would it be possible to request a senior level technician go over our Fortigate environment when I submit a ticket?  I've chatted with support before on this and heard that this configuration isn't supported, but I'm not sure who else to configure firewall rules over our Forticlient VPN.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors