Try changing your static route and use the destination as your ssl-vpn IP range and the gateway set to ssl.root
The IP you are given will be the same as your gateway i.e.
Say the range was configured 10.254.254.0/24
You connect to the VPN, you are given 10.254.254.1 as your address and this is also set as your gateway. You then attempt your ping, which is allowed using the following policies:
External (Internet) -> ssl.root
ACTION = SSL-VPN
Service = ANY
(also ensure you respective users/groups are defined in this policy)
ssl.root -> Internal
ACTION = ACCEPT
Service = Any (change this once you have it working to ICMP_ANY or ECHO, etc)
Now if you attempt to PING an Internal node it should work.
Routing:
i.e. internal 192.168.2.2
ping 192.168.2.2
With you being connected to the VPN, and your default gatetway being 10.254.254.1 the traffic will be forwarded to this interface. With your destination being set to the range 10.254.254.0/24 - gateway ssl.root, your policy ssl.root -> internal - ACCEPT - ANY should see these packets routed to the internal network.
Providing the internal node does not have a firewall enabled, and routing is configured correctly you will get your reply?
Hope this helps?
Fortigate 1000A
v4.0,build194,100121 (MR1 Patch 4)
Fortianalyzer 800B
v4.0,build0130 (MR1 Patch 3)