No access to Navision SQL server from FortiClient VPN

PCBarnes · ‎08-15-2024

Hello

I have installed a Fortigate 60F firewall at a customer. When the customer uses FortiClient VPN they cannot access their Microsoft Dynamics Navision. If they use the Windows native VPN client, everything works as it should.
So why not just use this all the time? This is because the firewall does not allow two simultaneous Windows native VPN clients from the same IP address…

I get this error (see the attached file, and bear with the fact that it's in Danish. I'm sure you can translate it).

pminarik · ‎08-15-2024

Given the mention of SSPI, maybe you're not letting some relevant traffic through (Kerberos, or NTLM/SMB to a DC, or to the server), or maybe the VPN client doesn't use the internal DNS server or the right DNS domain suffix?

[ corrections always welcome ]

View solution in original post

PCBarnes · ‎08-20-2024

Hello pminarik

It was a DNS-problem, and I solved it by choosing my own domain DNS server. When you use the "IPsecWizard", make shure to manually select your own DNS.

Thank you for showing me in the right direction :)

Best regards

T. Barnes

View solution in original post

patelr · ‎08-15-2024

Hello @PCBarnes,

Did you verify configuration? Can you also share error message translated in English?

Thanks,

Ronak Patel

PCBarnes · ‎08-15-2024

Hello Ronak

The translation to english goes like this (without the given code):

"The configuration of the SPN (delegation) is specified incorrectly."
"Server Connection URL:...."
"SPN Identity:...."
"A call to SSPI failed, see inner exception."

My comment: The server is called "Land"

Best regards T. Barnes

Rajan_kohli · ‎08-15-2024

Hi,

Can you please share the sniffer with the Source IP and Destination IP on Fotigate to check traffic flow.

Ref: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313

Regards

Rajan Kohli

PCBarnes · ‎08-18-2024

Hello Rajan

I will try. My problem is, that I don't have access to the SQL server, so I have to call someone to test for me, everytime I make an experiment.

Regards T. Barnes

pminarik · ‎08-15-2024

Given the mention of SSPI, maybe you're not letting some relevant traffic through (Kerberos, or NTLM/SMB to a DC, or to the server), or maybe the VPN client doesn't use the internal DNS server or the right DNS domain suffix?

[ corrections always welcome ]

PCBarnes · ‎08-18-2024

I will take a look on the DNS. There could be a solution here, as it looks like, that there is an "URL-call" to the server in the error message. Could anyone tell me though, what the difference is between Windows Native VPN client and FortiClient SSL VPN? Because the Windows Native client have no problem accessing the SQL server, but FortiClient VPN does.

PCBarnes · ‎08-20-2024

Hello pminarik

It was a DNS-problem, and I solved it by choosing my own domain DNS server. When you use the "IPsecWizard", make shure to manually select your own DNS.

Thank you for showing me in the right direction :)

Best regards

T. Barnes

PCBarnes · ‎08-18-2024

I have made a "config /all command" on a pc running Windows Native VPN and on a pc running FortiClient VPN. I can see, that none of the DNS servers are pointing to the server, where the SQL-server is installed, but as I mentioned earlier, the Windows Native client works fine. The Fortinet Client also uses IPV6. Could that be a problem?

Windows Native PVN:

FortiClient VPN:

Regards T. Barnes

No access to Navision SQL server from FortiClient VPN

Nominate a Forum Post for Knowledge Article Creation