- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: OS 5.2.3 - SSL VPN Portal unreachable at all
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OS 5.2.3 - SSL VPN Portal unreachable at all
Hi guys,
currently I'm hanging at a really bad issue.
I configured SSL VPN Portal at a FWF 60D, but the Portal is unreachable at all.
Not from External, not from internal.
Setup:
Internal LAN --> FWF 60D --> Transfer-Network --> VDSL Router --> WAN
Client --> WAN --> VDSL Router (Port Forward 8443 to FWF) --> FWF 60D --> LAN
Try to reach SSL VPN Portal from Internal at the Transfer Network Interface of FWF (not possible)
Try to reach SSL VPN Portal from External WAN over VSDL Router (not possible)
Diag Debug Application sslvpn --> no connection
I know, its an easy thing, but I stuck at the moment...
No further ideas...
FCNSA 5, FCNSP 5, NSE 4
Solved! Go to Solution.
FCNSA 5, FCNSP 5, NSE 4
4 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can see the sslvpn process with diag sys top (maybe you need a longer list: diag sys top 5 70).
You should the the sslvpn process here.
You are sure that you do not get any output with diag deb enable and then diag deb appl sslvpn -1 (and then try to connect to the sslvpn)?
In this case try the flow command:
diag deb ena
diag deb flow sho con ena
diag deb flow show fun ena
diag deb flow filter port 8443
diag deb flow trace start 20
(then connect to the sslvpn and send us the output)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Troubleshooter_73,
I never experienced the problem that the sslvpnd is not running. v5.2.3 is ok for sslvpn in my opinion. There's just the fact the the sslvpn settings and firewall policies have to be configured differently then before. That's what produces most trouble for us.
id=20085 trace_id=675 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
Normally this says that there is no matching firewall policy for this traffic, so it's drop by policy 0.
Do you have a wan1->ssl.root policy with source usergroup configured?
Sylvia
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I totally agree with Sylvia.
could you please check or even share your firewall policies for SSL VPN? You need a policy to firstly authenticate the SSL VPN users.
Created on 08-10-2015 03:30 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fixed!
The Usergroup was missing in the policy!
Thanx to all for the support!
FCNSA 5, FCNSP 5, NSE 4
FCNSA 5, FCNSP 5, NSE 4
- « Previous
-
- 1
- 2
- Next »
19 REPLIES 19
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this a new device (as in newly configured) or did you do a firmware update per chance?
At VPN > SSL > Settings did you add the external and the internal interface? What is the Listen on Port number?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had this problem as before, my solution is downgrade to 5.2.1.
You can search the forum that have other people have this problem and downgrade also.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Troubleshooter_73,
I never experienced the problem that the sslvpnd is not running. v5.2.3 is ok for sslvpn in my opinion. There's just the fact the the sslvpn settings and firewall policies have to be configured differently then before. That's what produces most trouble for us.
id=20085 trace_id=675 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
Normally this says that there is no matching firewall policy for this traffic, so it's drop by policy 0.
Do you have a wan1->ssl.root policy with source usergroup configured?
Sylvia
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I totally agree with Sylvia.
could you please check or even share your firewall policies for SSL VPN? You need a policy to firstly authenticate the SSL VPN users.
Created on 08-10-2015 03:30 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fixed!
The Usergroup was missing in the policy!
Thanx to all for the support!
FCNSA 5, FCNSP 5, NSE 4
FCNSA 5, FCNSP 5, NSE 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please set folloving commands.
config vpn ssl setting
config authentication-rule
edit 1
unset source-interface
end
end
Tuncay BAS RZK Muhendislik Turkey NSE 4 5 6 FCESP v5
Tuncay BAS RZK Muhendislik Turkey NSE 4 5 6 FCESP v5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Was there improvement?
Tuncay BAS RZK Muhendislik Turkey NSE 4 5 6 FCESP v5
Tuncay BAS RZK Muhendislik Turkey NSE 4 5 6 FCESP v5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
How can I make Linux ios to be available for forticlient VPN
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having the same issue. I have done diag sys top 10 60 and I can't see sslvpnd daemon, and I have done a diag snnifer packet capture with the filter 'port tcp <port-SSL-VPN-Portal> (in my case is 4443), and I only see SYN packets from me (LAN or WAN), but I never see an ACK or SYN packet from FortiGate. Also, I tried to access with FortiClient, and the service is Unreachable. The FortiGate is 300D 5.2.5 GA.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
I don't know if my contribution will help others but I ran into a similar issue and here is how it was solved :
1. Issue encountered
The VPN SSL was working on a Fortigate 60C unit. After upgrading the firmware to 5.2.10build742, the VPN SSL wasn't working anymore. Indeed, there ares some number of parameters that needed to be configured differently due to the firmware's new version. After applying the appropriate changes, the VPN SSL portal wasn't reachable at all (external IP or internal IP) from our Wan1 interface but was only reachable from the Wan2 interface. Previously, it was working from both interfaces.
2. Solution applied
After checking the VPN configuration through the CLI, it appeared that the "config authentication-rule/source-interface and source-address" parameters were still present likely inherited from the previous settings before upgrading the unit. That seemed to be the problem because those settings are specified in a different location in the latest firmware version. Removing those parameters in the CLI allowed the VPN SSL to work again from all required interfaces (Wan1 and Wan2).
Steps followed :
Connect to the CLI or via SSH
config vpn ssl settings
show
[align=left]config vpn ssl settings set servercert "cert" set idle-timeout 0 set tunnel-ip-pools "Your_VPN_SSL" set dns-suffix "Your_Domain" set port 012345 set source-interface "wan2" "wan1" set source-address "all" set source-address6 "all" set default-portal "Your_Portal" config authentication-rule edit 1 set source-interface "wan2" set source-address "all" set groups "Your_VPN_SSL_Group" set portal "Your_Portal" next end end[/align][align=left] [/align]config vpn ssl settings config authentication-rule edit 1 unset source-interface
show
[align=left]config vpn ssl settings set servercert "cert" set idle-timeout 0 set tunnel-ip-pools "Your_VPN_SSL" set dns-suffix "Your_Domain" set port 012345 set source-interface "wan2" "wan1" set source-address "all" set source-address6 "all" set default-portal "Your_Portal" config authentication-rule edit 1 set groups "Your_VPN_SSL_Group" set portal "Your_Portal" next end end[/align][align=left] [/align][align=left]I hope this can help some people.[/align][align=left] [/align][align=left]Regards to all[/align]
- « Previous
-
- 1
- 2
- Next »
Related Posts
- SSLVPN client certs and radius 34 Views
- SSO on Self-Service Portal FortiAuthenticator 73 Views
- New FortiGate 60F- Assigns me IP... 171 Views
- ipv6 - internal lan interface cannot... 229 Views
- Fortinac allow internet access (Guest Network)... 368 Views
Labels
-
FortiGate
6,461 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
55 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.