Hello!
The VPN SSL did work fine until recently when we updated to fw 5.2.9 (at least I think that's the reason, I'm not entirely sure when exactly the problem occurred for the first time). We have 3 WANS and WAN1 (62.178.xxx.xxx) is exposed to provide web access for vpn. The problem is that when a user tries to access the web portal the connection times out. The reason seems to be that the fortigate tries to reply with the correct ip on the wrong WAN, WAN2 instead of WAN1:
2495.680823 wan1 in 84.112.xxx.xxx.52185 -> 62.178.xxx.xxx.10443: syn 3851228698 2495.681132 wan2 out 62.178.xxx.xxx.10443 -> 84.112.xxx.xxx.52185: syn 1653073614 ack 3851228699 2506.868426 wan2 out 62.178.xxx.xxx.10443 -> 84.112.xxx.xxx.52178: syn 2500829585 ack 3479697041 2507.668398 wan2 out 62.178.xxx.xxx.10443 -> 84.112.xxx.xxx.52185: syn 1653073614 ack 3851228699 2510.668405 wan2 out 62.178.xxx.xxx.10443 -> 84.112.xxx.xxx.52179: syn 3003834394 ack 2372073390 2511.468412 wan2 out 62.178.xxx.xxx.10443 -> 84.112.xxx.xxx.52180: syn 3625665206 ack 2630344925 2531.668429 wan2 out 62.178.xxx.xxx.10443 -> 84.112.xxx.xxx.52185: syn 1653073614 ack 3851228699 2555.068349 wan2 out 62.178.xxx.xxx.10443 -> 84.112.xxx.xxx.52178: syn 2500829585 ack 3479697041 2558.868363 wan2 out 62.178.xxx.xxx.10443 -> 84.112.xxx.xxx.52179: syn 3003834394 ack 2372073390 2559.668361 wan2 out 62.178.xxx.xxx.10443 -> 84.112.xxx.xxx.52180: syn 3625665206 ack 2630344925 2579.868372 wan2 out 62.178.xxx.xxx.10443 -> 84.112.xxx.xxx.52185: syn 1653073614 ack 3851228699
All WANS have the same distance and the same priority. If I decrease the priority for WAN2 and WAN3 and leave WAN1 with the highest priority the connection works, but only for a short time, then it fails again for unknown reasons. I couldn't figure out where to configure the outgoing interface or how to deal with this issue. I'd be happy to supply additional information if required.
Thank you for your help.
Hello,
1) Firstly after any upgrade is mandatory use the next command to check any wrong syntax.
diagnose debug config-error-log read
2) Send a output of the portal ssl settings.
Best regards,
Follow us: [link]https://networkingcontrol.wordpress.com[/link]
Hello!
Thank you for your answer. The command you posted in 1) returned no results. I'm not too familiar with these fortigate devices so I hope I am indeed providing the info you requested:
config vpn ssl settings set servercert "Fortinet_Factory" set idle-timeout 600 set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set wins-server1 10.5.9.7 set source-interface "wan1" set source-address "all" set source-address6 "all" set default-portal "full-access" config authentication-rule edit 1 set groups "vpnuser" set portal "full-access" next end end
Thanks again.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.