Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Problems with SSL VPN Tunnel Mode

I am attempting to set up SSL VPN access for some of our employees to access our office network from PCs at home or on the road. We have a Fortigate 60 running firmware version 3.0 MR3 build 416 - memory optimized version. I have followed the instructions in the Fortigate SSL VPN User Guide and using a PC at my home to test. I can connect to the Fortigate via it’s public IP address, and log in using the local account I have set up on the Fortigate. I download the ActiveX plugin and initiate the VPN tunnel to the Fortigate. All of this seems to work fine, it connects, but once connected I cannot access anything on the network behind the Fortigate. I cannot ping any of the servers from a command window nor attach any drives. It then disconnects after 15 seconds or so. If I log SSL VPN messages on the Fortigate, all I see are success messages, no errors. If I run in Web-only mode using the web portal, I can use the ping application and enter a server IP on our subnet and it tells me the destination host is reachable. I can even run RDP and initiate an RDP session to a server desktop or my office PC desktop and this works fine. On the PC, the Fortinet SSL VPN Client window in tunnel mode shows Bytes Sent constantly increasing during the tunnel session but the Bytes Received jumps to 242 on connection and does not increase from there. I have reviewed everything I can find on the Fortinet site and tried everything I can think of. I have set the range of IP addresses assigned to tunnel clients both to an unused range in the same subnet as the office network and in a different subnet and it makes no difference. I have disabled firewalls and the home PC as well as the home DSL router and get the same result. I also tried it with a laptop computer using a dial-up connection and got the same result. I don’t know where to go from here. Anyone have an idea or suggestion as to what I might try next?
3 REPLIES 3
rwpatterson
Valued Contributor III

What IP subnet you use should make no difference at all. If you have an interior router behind the FGT, make sure the route is added back to the SSL VPN IP subnet you defined on the Fortigate. Also start off with the ' any' service in the policy, and narrow it down after it successfully works.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com

Thanks for the suggestions, Bob. We don' t have another router behind behind the Fortigate and the policy is already set to ' any' service. I guess maybe my next step is to run the packet sniffer on the FGT and try and see where things are getting dropped.
rwpatterson
Valued Contributor III

Make sure the SSL VPN policies appear at the top of the list for the interface definitions. They are read from the top down, and any non-VPN definitions above that will steal that traffic. First match, first served.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors