Hi guys,
currently I'm hanging at a really bad issue.
I configured SSL VPN Portal at a FWF 60D, but the Portal is unreachable at all.
Not from External, not from internal.
Setup:
Internal LAN --> FWF 60D --> Transfer-Network --> VDSL Router --> WAN
Client --> WAN --> VDSL Router (Port Forward 8443 to FWF) --> FWF 60D --> LAN
Try to reach SSL VPN Portal from Internal at the Transfer Network Interface of FWF (not possible)
Try to reach SSL VPN Portal from External WAN over VSDL Router (not possible)
Diag Debug Application sslvpn --> no connection
I know, its an easy thing, but I stuck at the moment...
No further ideas...
FCNSA 5, FCNSP 5, NSE 4
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can see the sslvpn process with diag sys top (maybe you need a longer list: diag sys top 5 70).
You should the the sslvpn process here.
You are sure that you do not get any output with diag deb enable and then diag deb appl sslvpn -1 (and then try to connect to the sslvpn)?
In this case try the flow command:
diag deb ena
diag deb flow sho con ena
diag deb flow show fun ena
diag deb flow filter port 8443
diag deb flow trace start 20
(then connect to the sslvpn and send us the output)
Hey Troubleshooter_73,
I never experienced the problem that the sslvpnd is not running. v5.2.3 is ok for sslvpn in my opinion. There's just the fact the the sslvpn settings and firewall policies have to be configured differently then before. That's what produces most trouble for us.
id=20085 trace_id=675 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
Normally this says that there is no matching firewall policy for this traffic, so it's drop by policy 0.
Do you have a wan1->ssl.root policy with source usergroup configured?
Sylvia
Hello,
I totally agree with Sylvia.
could you please check or even share your firewall policies for SSL VPN? You need a policy to firstly authenticate the SSL VPN users.
Created on 08-10-2015 03:30 AM
FCNSA 5, FCNSP 5, NSE 4
Is this a new device (as in newly configured) or did you do a firmware update per chance?
At VPN > SSL > Settings did you add the external and the internal interface? What is the Listen on Port number?
I had this problem as before, my solution is downgrade to 5.2.1.
You can search the forum that have other people have this problem and downgrade also.
Hey Troubleshooter_73,
I never experienced the problem that the sslvpnd is not running. v5.2.3 is ok for sslvpn in my opinion. There's just the fact the the sslvpn settings and firewall policies have to be configured differently then before. That's what produces most trouble for us.
id=20085 trace_id=675 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
Normally this says that there is no matching firewall policy for this traffic, so it's drop by policy 0.
Do you have a wan1->ssl.root policy with source usergroup configured?
Sylvia
Hello,
I totally agree with Sylvia.
could you please check or even share your firewall policies for SSL VPN? You need a policy to firstly authenticate the SSL VPN users.
Created on 08-10-2015 03:30 AM
FCNSA 5, FCNSP 5, NSE 4
Please set folloving commands.
config vpn ssl setting
config authentication-rule
edit 1
unset source-interface
end
end
Was there improvement?
Hi ,
How can I make Linux ios to be available for forticlient VPN
I'm having the same issue. I have done diag sys top 10 60 and I can't see sslvpnd daemon, and I have done a diag snnifer packet capture with the filter 'port tcp <port-SSL-VPN-Portal> (in my case is 4443), and I only see SYN packets from me (LAN or WAN), but I never see an ACK or SYN packet from FortiGate. Also, I tried to access with FortiClient, and the service is Unreachable. The FortiGate is 300D 5.2.5 GA.
Hi everyone,
I don't know if my contribution will help others but I ran into a similar issue and here is how it was solved :
1. Issue encountered
The VPN SSL was working on a Fortigate 60C unit. After upgrading the firmware to 5.2.10build742, the VPN SSL wasn't working anymore. Indeed, there ares some number of parameters that needed to be configured differently due to the firmware's new version. After applying the appropriate changes, the VPN SSL portal wasn't reachable at all (external IP or internal IP) from our Wan1 interface but was only reachable from the Wan2 interface. Previously, it was working from both interfaces.
2. Solution applied
After checking the VPN configuration through the CLI, it appeared that the "config authentication-rule/source-interface and source-address" parameters were still present likely inherited from the previous settings before upgrading the unit. That seemed to be the problem because those settings are specified in a different location in the latest firmware version. Removing those parameters in the CLI allowed the VPN SSL to work again from all required interfaces (Wan1 and Wan2).
Steps followed :
Connect to the CLI or via SSH
config vpn ssl settings
show
[align=left]config vpn ssl settings set servercert "cert" set idle-timeout 0 set tunnel-ip-pools "Your_VPN_SSL" set dns-suffix "Your_Domain" set port 012345 set source-interface "wan2" "wan1" set source-address "all" set source-address6 "all" set default-portal "Your_Portal" config authentication-rule edit 1 set source-interface "wan2" set source-address "all" set groups "Your_VPN_SSL_Group" set portal "Your_Portal" next end end[/align][align=left] [/align]config vpn ssl settings config authentication-rule edit 1 unset source-interface
show
[align=left]config vpn ssl settings set servercert "cert" set idle-timeout 0 set tunnel-ip-pools "Your_VPN_SSL" set dns-suffix "Your_Domain" set port 012345 set source-interface "wan2" "wan1" set source-address "all" set source-address6 "all" set default-portal "Your_Portal" config authentication-rule edit 1 set groups "Your_VPN_SSL_Group" set portal "Your_Portal" next end end[/align][align=left] [/align][align=left]I hope this can help some people.[/align][align=left] [/align][align=left]Regards to all[/align]Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.