Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
buk
New Contributor

Created on ‎03-22-2025 03:28 PM Edited on ‎03-22-2025 03:40 PM

IPsec VPN can access my Movie server but not Hikvision cameras via Hik-Connect?

Very simple vpn set up for my iPhone. I have a Fortigate 40F firewall. I'm able to access my movie server after successfully connecting to the vpn but not the hikvision cameras that I have configured on the Hik-Connect app. I can reach https://x.x.x.x:443 (camera1) on my iPhone using Safari while connected to the vpn. so that port is working.

The live feed fails once it hits 80%. "device connection timed out" Please check its network connection. But I can reach my movie server and access the web sign in of the camera using https. Help? Cameras work flawlessly when on the local network through wifi.

 

VPN is allowed to access my entire lan and "all" services (ports)

 

Modem > Fortinet > Ubiquiti 24 Port PoE > connects all my ethernet, three aps and 5 cameras. All on 10.10.10.0/24. Flat network nothing else. NVR is a Windows 11 Pro Host running iVMS-4200. No VLANs, nothing. Flatter than Earth.

 

Log Allowed Traffic is set to "All Sessions"

 

s1.pngs2.pngs3.png

185
0 Kudos
4 REPLIES 4
atakannatak
Contributor

Created on ‎03-22-2025 04:29 PM Edited on ‎03-22-2025 04:30 PM

Hi @buk,

 

Based on your explanations, I can suggest two different methods as follows:

 

  1. NAT Considerations: Since NAT is enabled in the policy, but the internal network (10.10.10.0/24) is already managed behind the firewall with the firewall as the default gateway, NAT may not be necessary. Using NAT in this scenario could lead to application errors due to TCP connection limits when multiple sessions share a single IP. Disabling NAT could help eliminate these issues and improve connectivity stability.
  2. Handling Connection Timeouts: Network slowness between the application server and VPN users may cause application-level connection timeouts. To mitigate this, TCP session timeout values should be adjusted on both the application and firewall. FortiGate allows modifying session timeout values on a per-policy basis, helping to maintain connection stability. More details on session timeout configurations can be found in:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Session-timeout-settings/ta-p/191228

 

If these solutions do not resolve the issue, we can perform a detailed analysis by capturing debug logs and packet traces. Please run the following commands while accessing the application and share the debug outputs along with the packet capture (PCAP) file obtained from the firewall:

 

diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diag debug console timestamp enable
diagnose debug flow trace start 1000
diagnose debug flow filter saddr X.X.X.X -- (Your SSL VPN client IP address)
diagnose debug flow filter daddr Y.Y.Y.Y -- (The server IP address)
diagnose debug enable

 

Additionally, you can refer to the following article for instructions on capturing Wireshark output from the FortiGate firewall. Sharing these details will help us conduct a thorough investigation and pinpoint the root cause of the issue.

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Packet-Capture-on-FortiOS-GUI/ta-p/1...

 

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

 

Atakan ATAK
CCIE #68781

Atakan Atak
Atakan Atak
143
buk
New Contributor
In response to atakannatak

Created on ‎03-22-2025 05:21 PM Edited on ‎03-22-2025 05:24 PM

Hi @atakannatak,

 

1. I disabled NAT on the firewall policy since all cameras have the gateway manually entered.

 

2. I didn't touch the session timeout value and proceeded to capture packets when accessing Camera1 via https://x.x.x.x:443https://x.x.x.x:8000 (iPhone - Safari.) Packets were captured here BUT when I try and click on Camera1 within Hik-Connect no packets are captured. Simply nothing happens.

 

s4.png

 

 

125
0 Kudos
buk
New Contributor
In response to buk

Created on ‎03-22-2025 05:30 PM Edited on ‎03-22-2025 05:32 PM

This is what happens when I connect to my WiFi and click on Camera1 within Hik-Connect. There are packets captured. I launched the app, packets. I refreshed all 5 cameras, packets captured.

 

On VPN, nothing (within the app) & to confirm, captured packets when using the Safari app.

 

s5.png

 

s6.png

113
atakannatak
Contributor
In response to buk

Created on ‎03-25-2025 01:42 AM Edited on ‎03-25-2025 01:45 AM

Hi @buk ,

 

As far as I understand, the Hik-Connect application is already installed on your phone. Based on the output you shared, when connected to WiFi, the camera with IP address 10.10.10.78 appears to exchange data with a public IP address, likely because the session is initiated via Hik-Connect servers.

 

However, a similar behavior is not observed in the Wireshark capture from the SSL VPN side. Here, traffic is generated from the SSL VPN IP address 172.16.101.1 towards camera with IP 10.10.10.106.

 

To analyze the issue in detail, it is essential to collect a flow debug as mentioned earlier. Please run the following commands while performing the same tests on the SSL VPN side:

 

diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diag debug console timestamp enable
diagnose debug flow trace start 1000
diagnose debug flow filter saddr X.X.X.X -- (Your SSL VPN client IP address)
diagnose debug flow filter daddr Y.Y.Y.Y -- (The server IP address)
diagnose debug enable

 

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

 

CCIE #68781

Atakan Atak
Atakan Atak
19
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.