Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
LukasR
New Contributor

Issue with some SSL-VPN services like PING

Hello,

 

I have a FortiGate90D with SSL-VPN running. My issue is similar to this post: https://forum.fortinet.com/tm.aspx?m=110871 from octobre last year. But basically it works.

 

When I connect to my SSL VPN, I can access the shares with SMB and my Mail-Server, too. HTTP and HTTPS are orking, too. Access to the FortiGate via https on a specific port also works fine. And some other things like getting updates for my anti virus and so on.

 

But I can't connect my PhoneSoftware to my VoIP-Server using (H.323 protocol). When I connect to the voip-servers IP via Browser on port 80, I can access the website hosted on this server... so it's reachable at all. Just using the phone software doesn't work.

 

I tried to research this and realized, that I cannot ping any IP in my network. I even can't ping my FortiGate I am connected to. So in the link above "Selective" mentioned to sniff the icmp 4 packets.

 

When I run "diag sni pack ssl.root icmp 4" and do the ping, I see this:

3.602464 ssl.root in 192.168.5.1 -> 192.168.6.21: icmp: echo request

620.008055 ssl.root in 192.168.5.1 -> 192.168.4.254: icmp: echo request

 

So the ping is there but there is no answere.

 

--

My Config:

- the windows firewall on the client is disabled

- I'm using split tunneling and my two subnets are added to it. (.6.x and .4.x)

- I have a rule FROM sslvpn_tunnel_addr1 TO both subnets (internal network) with ALL Services set to allow, as I see the packet count is > 1.5GB this is the rule where the magic happens

- I have another rule FROM all internal IPs TO sslvpn_tunnel_addr1 with ALL Services set to allow, here I get just some bytes when I SMB from the internal network to this client. Pinging the client doesn't work either

- I have a static route back to the VPN Network: 192.168.5.0 255.255.255.0 with no gateway using the device ssl.root

 

 

Something that could be strange is, when I "route print" on the windows client, I can the following:

 

Destination: 192.168.4.0

Mask: 255.255.255.0

Gateway: 192.168.5.2 <-- This is wrong, the Gateway should be 192.168.4.254

Metric: 10

 

I don't know where this entry comes from...when I get assigned the 192.168.5.2 the gateway gets 192.168.5.3

 

deleting it with "route delete" says OK but without any change.. it's still there.

When I add a static route: route add 192.168.4.0 mask 255.255.255.0 192.168.4.254 metric 5

The route gets added but with a metric of 15, same if I use metric 1 it's added with metric 11?!

Same problem when I add it permanent with -p.

 

Is this maybe a problem with the split tunneling, that just tunnels specific ports? But when I especially want to connect an internal IP and the route works... it should work anyways right? btw, tracert to any internal IP stops after 1 Jump, so it can't even trace the route to the fortigate itself.

 

 

Thank you and best regards.

1 REPLY 1
LukasR
New Contributor

No idea? :\

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors