Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Daniel_Herbon
New Contributor

Created on ‎05-15-2014 07:18 PM

SSL VPN Can' t Access new Data Center Subnet

We' ve used SSLVPN on the Fortigate for nearly 3 years without any issues. The users connect and receive a 192.168.10.[10-254] ip address. Our issue came into play when we moved all our servers out of our main office and into our new data center. Despite our best efforts, we still cannot seem to get the users connecting to be able to route to our 10.1.0.0/16 network. We think we finally tracked it down to the DHCP addresses its handing out to the connecting users. When I connect I receive 192.168.10.10/255.255.255.255 as the address which is where I think the limitation is coming from. The users can connect to every single one of our 192.168.*.* networks but it cannot route to the 10.1.0.0/16 network. Any ideas? One of my admins thinks maybe the 255.255.255.255 netmask handed out via DHCP is limiting the connections ability to access networks outside the 192.168.*.* network. I' m skeptical. We have a Static Route setup to point all 192.168.10.0/24 traffic to device ssl.root. I was thinking maybe a policy route might help us? Thanks ahead of time for any suggestions. Maybe we' re just overlooking something extremely obvious.
2228
0 Kudos
3 REPLIES 3
rwpatterson
Valued Contributor III

Created on ‎05-15-2014 08:07 PM

Is the data center local to the SSL VPN router, or remote down another leg?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
1087
0 Kudos
Carl_Wallmark
Valued Contributor

Created on ‎05-16-2014 12:48 AM

Are you pushing out the 10.1.0.0/16 network to your SSLVPN users ? if not, you add the network to the firewall policy that looks like this: Policy Type: SSLVPN Source Interface: WAN1 Source Address: all Destination Interface: Internal Destination address: <all networks you wish to push to the clients>

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
1087
0 Kudos
Daniel_Herbon
New Contributor

Created on ‎05-16-2014 08:04 AM

This turned out to be a bad tunnel policy going to the DC! Spent too much time looking elsewhere rather than step 1.
1087
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.