OS 5.2.3 - SSL VPN Portal unreachable at all

Troubleshooter_73 · ‎07-28-2015

Hi guys,

currently I'm hanging at a really bad issue.

I configured SSL VPN Portal at a FWF 60D, but the Portal is unreachable at all.

Not from External, not from internal.

Setup:

Internal LAN --> FWF 60D --> Transfer-Network --> VDSL Router --> WAN

Client --> WAN --> VDSL Router (Port Forward 8443 to FWF) --> FWF 60D --> LAN

Try to reach SSL VPN Portal from Internal at the Transfer Network Interface of FWF (not possible)

Try to reach SSL VPN Portal from External WAN over VSDL Router (not possible)

Diag Debug Application sslvpn --> no connection

I know, its an easy thing, but I stuck at the moment...

No further ideas...

FCNSA 5, FCNSP 5, NSE 4

Sylvia · ‎07-29-2015

You can see the sslvpn process with diag sys top (maybe you need a longer list: diag sys top 5 70).

You should the the sslvpn process here.

You are sure that you do not get any output with diag deb enable and then diag deb appl sslvpn -1 (and then try to connect to the sslvpn)?

In this case try the flow command:

diag deb ena

diag deb flow sho con ena

diag deb flow show fun ena

diag deb flow filter port 8443

diag deb flow trace start 20

(then connect to the sslvpn and send us the output)

View solution in original post

Sylvia · ‎08-04-2015

Hey Troubleshooter_73,

I never experienced the problem that the sslvpnd is not running. v5.2.3 is ok for sslvpn in my opinion. There's just the fact the the sslvpn settings and firewall policies have to be configured differently then before. That's what produces most trouble for us.

id=20085 trace_id=675 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"

Normally this says that there is no matching firewall policy for this traffic, so it's drop by policy 0.

Do you have a wan1->ssl.root policy with source usergroup configured?

Sylvia

View solution in original post

ykonstantakopoulos · ‎08-10-2015

Hello,

I totally agree with Sylvia.

could you please check or even share your firewall policies for SSL VPN? You need a policy to firstly authenticate the SSL VPN users.

View solution in original post

Troubleshooter_73 · ‎08-10-2015

Fixed! The Usergroup was missing in the policy! Thanx to all for the support!

FCNSA 5, FCNSP 5, NSE 4

View solution in original post

rwpatterson · ‎07-28-2015

So far, what inward policies do you have in place?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Troubleshooter_73 · ‎07-28-2015

ssl.root --> Internal ssl.root --> WAN1 (Split Tunneling Disabled) Edit: The system has replaced a FWF 50B with the same config and it worked fine. I doesn't import the config, it was configured from scratch.

FCNSA 5, FCNSP 5, NSE 4

Sylvia · ‎07-29-2015

I assume that the Port Forwarding on the VDSL router is working, because SSLVPN works with the old FGT50B in the same setup. If you are not sure about this, try "diag sniffer packet any 'port 8443' 4" to doublecheck.

Did you specify a source usergroup in the "ssl.root->internal" policy?

Did you assign a portal for the usergroups in the SSLVPN settings?

Sylvia

Troubleshooter_73 · ‎07-29-2015

Hi Sylvia,

yes of course, the usergroup and Portal mapping is already done and double checked.

The forwarding is working for an internal FTP Server (21), for the Management Port (changed to 10443) byself and for an internal Apache (443).

Only the SSLVPN Portal at 8443 isn't working.

But this is the strange Thing what I mean, the Portal is also unreachable from the internal Network.

It Looks like the sslvpnd isn't working!

FCNSA 5, FCNSP 5, NSE 4

Sylvia · ‎07-29-2015

Ok, but just to make sure: is "internal" added to the listening interfaces on (WebUI) VPN>SSL>Settings>Listen on Interface?

Maybe you can send a screenshot from this site.

And what is the exact output of "diag deb appl sslvpn -1"?

Troubleshooter_73 · ‎07-29-2015

I dont understand...

Why the internal Interface should be add to listening Interfaces?

Is this a new config?

I always add the external WAN Interface only!

FCNSA 5, FCNSP 5, NSE 4

Troubleshooter_73 · ‎07-29-2015

Output of SSL VPN Portal doesnt bring up any Messages!

strange also if I try to connect to portal:

FWF-60D # diagnose vpn ssl statistics

No data yet.

FWF-60D # diagnose vpn ssl list

FWF-60D #

So, nothing, absolut nothing...

Is there possibility to check, if the sslvpn deamon is running?

FCNSA 5, FCNSP 5, NSE 4

Sylvia · ‎07-29-2015

You can see the sslvpn process with diag sys top (maybe you need a longer list: diag sys top 5 70).

You should the the sslvpn process here.

You are sure that you do not get any output with diag deb enable and then diag deb appl sslvpn -1 (and then try to connect to the sslvpn)?

In this case try the flow command:

diag deb ena

diag deb flow sho con ena

diag deb flow show fun ena

diag deb flow filter port 8443

diag deb flow trace start 20

(then connect to the sslvpn and send us the output)

Troubleshooter_73 · ‎07-31-2015

At first, thank you for your help Sylvia, your welcome!

Sylvia wrote:
You are sure that you do not get any output with diag deb enable and then diag deb appl sslvpn -1 (and then try to connect to the sslvpn)?

I tested again and here comes the output...

FWF-60D # diagnose debug enable

FWF-60D # diagnose debug application sslvpn -1

FWF-60D # id=20085 trace_id=694 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:27164->192.168.2.254:8443) from wan1. flag , seq 1948078413, ack 0, win 65535"
id=20085 trace_id=694 func=init_ip_session_common line=4527 msg="allocate a new session-00008823"
id=20085 trace_id=694 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=695 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:27164->192.168.2.254:8443) from wan1. flag , seq 1948078413, ack 0, win 65535"
id=20085 trace_id=695 func=init_ip_session_common line=4527 msg="allocate a new session-00008826"
id=20085 trace_id=695 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=696 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:27164->192.168.2.254:8443) from wan1. flag , seq 1948078413, ack 0, win 65535"
id=20085 trace_id=696 func=init_ip_session_common line=4527 msg="allocate a new session-00008828"
id=20085 trace_id=696 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=697 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:27164->192.168.2.254:8443) from wan1. flag , seq 1948078413, ack 0, win 65535"
id=20085 trace_id=697 func=init_ip_session_common line=4527 msg="allocate a new session-00008829"
id=20085 trace_id=697 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=698 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:27164->192.168.2.254:8443) from wan1. flag , seq 1948078413, ack 0, win 65535"
id=20085 trace_id=698 func=init_ip_session_common line=4527 msg="allocate a new session-0000882a"
id=20085 trace_id=698 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=699 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:27164->192.168.2.254:8443) from wan1. flag , seq 1948078413, ack 0, win 65535"
id=20085 trace_id=699 func=init_ip_session_common line=4527 msg="allocate a new session-0000882d"
id=20085 trace_id=699 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=700 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:27164->192.168.2.254:8443) from wan1. flag , seq 1948078413, ack 0, win 65535"
id=20085 trace_id=700 func=init_ip_session_common line=4527 msg="allocate a new session-00008834"
id=20085 trace_id=700 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=701 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:27164->192.168.2.254:8443) from wan1. flag , seq 1948078413, ack 0, win 65535"
id=20085 trace_id=701 func=init_ip_session_common line=4527 msg="allocate a new session-0000883b"
id=20085 trace_id=701 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"

Ok, the output of diag sys top 5 70

newcli 912 R 28.5 0.8 sshd 882 S 14.2 0.6 pyfcgid 801 S 0.0 1.9 pyfcgid 800 S 0.0 1.8 pyfcgid 802 S 0.0 1.7 pyfcgid 798 S 0.0 1.3 cmdbsvr 38 S 0.0 1.2 cw_wtpd 100 S 0.0 1.0 miglogd 58 S 0.0 1.0 httpsd 898 S 0.0 1.0 ipshelper 73 S < 0.0 0.9 httpsd 900 S 0.0 0.9 httpsd 897 S 0.0 0.9 httpsd 60 S 0.0 0.9 cu_acd 103 S 0.0 0.8 newcli 883 S 0.0 0.8 cw_acd 98 S 0.0 0.8 fgfmd 97 S 0.0 0.7 src-vis 86 S 0.0 0.7 iked 78 S 0.0 0.6 updated 79 S 0.0 0.6 imd 77 S 0.0 0.6 dnsproxy 95 S 0.0 0.6 forticldd 71 S 0.0 0.6 forticron 70 S 0.0 0.6 pimd 54 S 0.0 0.6 authd 72 S 0.0 0.6 fcnacd 74 S 0.0 0.6 snmpd 83 S 0.0 0.5 eap_proxy 96 S 0.0 0.5 dhcpd 85 S 0.0 0.5 zebos_launcher 46 S 0.0 0.5 fnbamd 67 S 0.0 0.5 sshd 88 S 0.0 0.5 quard 91 S 0.0 0.5 fortilinkd 102 S 0.0 0.5 uploadd 57 S 0.0 0.5 ntpd 87 S < 0.0 0.5 fclicense 68 S 0.0 0.5 ipsmonitor 64 S 0.0 0.5 sqldb 76 S 0.0 0.5 getty 63 S < 0.0 0.5 alertmail 94 S 0.0 0.5 kmiglogd 59 S 0.0 0.5 telnetd 90 S 0.0 0.5 wpad_ac 99 S 0.0 0.5 merged_daemons 66 S 0.0 0.5 swctrl_authd 104 S 0.0 0.5 fsd 107 S 0.0 0.5 httpclid 75 S 0.0 0.5 initXXXXXXXXXXX 1 S 0.0 0.5 nsm 47 S 0.0 0.2 imi 61 S 0.0 0.2 bgpd 52 S 0.0 0.1 ospfd 50 S 0.0 0.1 isisd 53 S 0.0 0.1 ospf6d 51 S 0.0 0.1 pim6d 55 S 0.0 0.1 pdmd 56 S 0.0 0.1 ripd 48 S 0.0 0.1 ripngd 49 S 0.0 0.1 usbmuxd 106 S 0.0 0.0

Sylvia wrote:
In this case try the flow command:
diag deb ena
diag deb flow sho con ena
diag deb flow show fun ena
diag deb flow filter port 8443
diag deb flow trace start 20
(then connect to the sslvpn and send us the output)

FWF-60D # id=20085 trace_id=674 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:3072->192.168.2.254:8443) from wan1. flag , seq 3571483839, ack 0, win 65535"
id=20085 trace_id=674 func=init_ip_session_common line=4527 msg="allocate a new session-000086f1"
id=20085 trace_id=674 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=675 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:3072->192.168.2.254:8443) from wan1. flag , seq 3571483839, ack 0, win 65535"
id=20085 trace_id=675 func=init_ip_session_common line=4527 msg="allocate a new session-000086f4"
id=20085 trace_id=675 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=676 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:3072->192.168.2.254:8443) from wan1. flag , seq 3571483839, ack 0, win 65535"
id=20085 trace_id=676 func=init_ip_session_common line=4527 msg="allocate a new session-000086f5"
id=20085 trace_id=676 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=677 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:3072->192.168.2.254:8443) from wan1. flag , seq 3571483839, ack 0, win 65535"
id=20085 trace_id=677 func=init_ip_session_common line=4527 msg="allocate a new session-000086f6"
id=20085 trace_id=677 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=678 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:3072->192.168.2.254:8443) from wan1. flag , seq 3571483839, ack 0, win 65535"
id=20085 trace_id=678 func=init_ip_session_common line=4527 msg="allocate a new session-000086f7"
id=20085 trace_id=678 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=679 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:3072->192.168.2.254:8443) from wan1. flag , seq 3571483839, ack 0, win 65535"
id=20085 trace_id=679 func=init_ip_session_common line=4527 msg="allocate a new session-000086f9"
id=20085 trace_id=679 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=680 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:3072->192.168.2.254:8443) from wan1. flag , seq 3571483839, ack 0, win 65535"
id=20085 trace_id=680 func=init_ip_session_common line=4527 msg="allocate a new session-000086fa"
id=20085 trace_id=680 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=681 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:3072->192.168.2.254:8443) from wan1. flag , seq 3571483839, ack 0, win 65535"
id=20085 trace_id=681 func=init_ip_session_common line=4527 msg="allocate a new session-000086fb"
id=20085 trace_id=681 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=682 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:3072->192.168.2.254:8443) from wan1. flag , seq 3571483839, ack 0, win 65535"
id=20085 trace_id=682 func=init_ip_session_common line=4527 msg="allocate a new session-000086fc"
id=20085 trace_id=682 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=683 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:9885->192.168.2.254:8443) from wan1. flag , seq 3571483839, ack 0, win 65535"
id=20085 trace_id=683 func=init_ip_session_common line=4527 msg="allocate a new session-00008701"
id=20085 trace_id=683 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"

If I see the error code

msg="iprope_in_check() check failed on policy 0, drop"

I assume the sslvpnd isn't running, because the root cause is in 90% of cases like this a denied access at the interface or closed port, but in my case I triple checked the SSL-VPN config and it is listening at WAN1 and uses the port 8443.

At the VDSL Router the port forwarding is working, as you can see in the flow trace...

A Reboot of Appliance doesn't work at all.

I think I have to open a ticket at fortinet, because I have no idea and it was never as hard like here to implement a SSL-VPN access...

FCNSA 5, FCNSP 5, NSE 4