Hello
I have installed a Fortigate 60F firewall at a customer. When the customer uses FortiClient VPN they cannot access their Microsoft Dynamics Navision. If they use the Windows native VPN client, everything works as it should.
So why not just use this all the time? This is because the firewall does not allow two simultaneous Windows native VPN clients from the same IP address…
I get this error (see the attached file, and bear with the fact that it's in Danish. I'm sure you can translate it).
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Given the mention of SSPI, maybe you're not letting some relevant traffic through (Kerberos, or NTLM/SMB to a DC, or to the server), or maybe the VPN client doesn't use the internal DNS server or the right DNS domain suffix?
Hello pminarik
It was a DNS-problem, and I solved it by choosing my own domain DNS server. When you use the "IPsecWizard", make shure to manually select your own DNS.
Thank you for showing me in the right direction :)
Best regards
T. Barnes
Hello @PCBarnes,
Did you verify configuration? Can you also share error message translated in English?
Thanks,
Ronak Patel
Hello Ronak
The translation to english goes like this (without the given code):
"The configuration of the SPN (delegation) is specified incorrectly."
"Server Connection URL:...."
"SPN Identity:...."
"A call to SSPI failed, see inner exception."
My comment: The server is called "Land"
Best regards T. Barnes
Hi,
Can you please share the sniffer with the Source IP and Destination IP on Fotigate to check traffic flow.
Ref: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313
Regards
Hello Rajan
I will try. My problem is, that I don't have access to the SQL server, so I have to call someone to test for me, everytime I make an experiment.
Regards T. Barnes
Given the mention of SSPI, maybe you're not letting some relevant traffic through (Kerberos, or NTLM/SMB to a DC, or to the server), or maybe the VPN client doesn't use the internal DNS server or the right DNS domain suffix?
I will take a look on the DNS. There could be a solution here, as it looks like, that there is an "URL-call" to the server in the error message. Could anyone tell me though, what the difference is between Windows Native VPN client and FortiClient SSL VPN? Because the Windows Native client have no problem accessing the SQL server, but FortiClient VPN does.
Hello pminarik
It was a DNS-problem, and I solved it by choosing my own domain DNS server. When you use the "IPsecWizard", make shure to manually select your own DNS.
Thank you for showing me in the right direction :)
Best regards
T. Barnes
I have made a "config /all command" on a pc running Windows Native VPN and on a pc running FortiClient VPN. I can see, that none of the DNS servers are pointing to the server, where the SQL-server is installed, but as I mentioned earlier, the Windows Native client works fine. The Fortinet Client also uses IPV6. Could that be a problem?
Windows Native PVN:
FortiClient VPN:
Regards T. Barnes
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1679 | |
1085 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.