Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kaika313
New Contributor

Created on ‎02-15-2023 02:32 AM

Issues connecting to remote SSL VPN connected client

Hi,

 

we're using a FortiGate 100E (v6.0.2 build0163 (GA)) with SSL VPN configured. Remote clients are assigned the entire 10.0.95.0/24 subnet while LAN 192.168.1.0/24 subnet.

No troubles for the remote subnet to access the internal LAN but cannot find a way to make internal LAN access SSL clients. I've tried to set a specific policy to enable traffic from LAN to SSL subnet but it seems to be ignored. Also, the route isn't correct because if I make a tracert from an internal LAN device pointing to a remote client it seems that the FortiGate sends the packet to the outside instead of redirecting them to the remote client through the tunnel interface. What I am missing? 

 

Thank you

 

This is the policy that I tried:

Schermata 2023-02-15 alle 11.24.48.png

Labels:
2247
0 Kudos
1 Solution
gfleming
Staff
Staff
In response to kaika313

Created on ‎02-16-2023 09:47 AM

Bugs happen. It could be you are hitting one. 

 

Without support you cannot talk to TAC nor can you run a supported FortiOS version. Right now you are exposing yourself to a lot of risk from a vulnerability, functionality and accessibility standpoint. 

 

Please get support renewed on your Firewall and get it updated ASAP.

Cheers,
Graham

View solution in original post

2152
0 Kudos
12 REPLIES 12
amouawad
Staff
Staff

Created on ‎02-15-2023 04:08 AM

Try creating a static route for the 10.0.95.0/24 subnet to point to the SSL interface. The FGTs  don't populate the routing table with the subnets you've created for the SSLVPN.

 

amouawad_0-1676462828398.png

 

1759
0 Kudos
kaika313
New Contributor
In response to amouawad

Created on ‎02-15-2023 07:13 AM

Hi @amouawad,

thank you for your reply.

Unfortunately, even with static route it doesn't work. Packets keep going outside instead of going to the right place. What else I can try to change/check?

Thank you

Schermata 2023-02-15 alle 15.07.30.png

 

 

1747
0 Kudos
gfleming
Staff
Staff

Created on ‎02-15-2023 01:18 PM

Are you sure its the Fortigate blocking? Perhaps there is a local Firewall on the endpoint?

Cheers,
Graham
1727
0 Kudos
kaika313
New Contributor
In response to gfleming

Created on ‎02-16-2023 03:05 AM

Hi,

 

I've disabled every possible firewall anywhere including Windows firewall and remote router's firewall with no success. Strange thing is that even from CLI console I cannot ping and reach clients...

1710
0 Kudos
funkylicious
SuperUser
SuperUser

Created on ‎02-16-2023 03:13 AM Edited on ‎02-16-2023 03:14 AM

I tested myself w/o a static route configured on the FW ( 200E 6.4.9 ) to reach my machine connected in SSLVPN and works just fine from the FW and a device behind it.

Maybe it's time to upgrade the firmware, 6.0 is very old :) 

"jack of all trades, master of none"
"jack of all trades, master of none"
1709
0 Kudos
kaika313
New Contributor
In response to funkylicious

Created on ‎02-16-2023 08:58 AM

Yes, maybe it's a firmware issue but as the support license expired unfortunately there's no way to test the connection with an updated firmware version... but despite OS version it should work anyway because everything is configured properly!

1695
0 Kudos
gfleming
Staff
Staff
In response to kaika313

Created on ‎02-16-2023 09:47 AM

Bugs happen. It could be you are hitting one. 

 

Without support you cannot talk to TAC nor can you run a supported FortiOS version. Right now you are exposing yourself to a lot of risk from a vulnerability, functionality and accessibility standpoint. 

 

Please get support renewed on your Firewall and get it updated ASAP.

Cheers,
Graham
2153
0 Kudos
kaika313
New Contributor
In response to gfleming

Created on ‎02-20-2023 07:21 AM

Yes, it could be a bug. Unfortunately, the person who sold us this firewall didn't tell us that it's a type of appliance that needs a subscription to receive basic firmware updates unlike other firewalls of different brands... as there's nothing to do without a subscription probably we'll consider moving to a different product. Thank you anyway for your support

1643
0 Kudos
gfleming
Staff
Staff
In response to kaika313

Created on ‎02-21-2023 09:37 AM

Most enterprise-grade firewalls will require some form of subscription to access regular services like support and firmware upgrades.

Cheers,
Graham
1617
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.