Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

SSL VPN Unreachable

I thought I followed all instructions to the letter, but my SSLVPN-portal is not available for the outside world.

If I add the internal port to the interface-list, I can reach the portal-pages from inside the network and I'm able to log on as I should, so everything there is working.


When I try to connect from the outside world, I get an 'unreachable'. Debugging the flow on the CLI, I notice that the packet is hitting rule 0 and is therefor blocked.


My config is as follows:


config firewall policy
  edit 14
    set srcintf "ssl.root"
    set dstintf "switch"
    set srcaddr "SSLVPN_TUNNEL_ADDR1"
    set dstaddr "Local LAN"
    set action accept
    set schedule "always"
    set service "ALL"
    set groups "SSL_VPN_USERS"
    set nat enable

config firewall policy
  edit 15
    set srcintf "ssl.root"
    set dstintf "wan1"
    set srcaddr "SSLVPN_TUNNEL_ADDR1"
    set dstaddr "all"
    set action accept
    set schedule "always"
    set service "ALL"
    set groups "SSL_VPN_USERS"
    set nat enable


Other rules include forwarding of HTTP, HTTPS, SSH to two servers.

I am using a FortiGate 110C with OS version 5.2.5 


Any suggestions?


Thanks in advance,





As i see the issue is SSL-VPN portal page shows error 'Server Unreachable' from WAN and works fine from LAN.

Device is on v5.2

Please check if you have added the WAN interface in the authentication policy, option in CLI 


config vpn ssl setting

shows full-config

<---------------check for authentication-rule, interface, should included WAN 


The firewall policy that you have posted above will be required for sslvpn subnet access




Below the results from the 'show full-config'


    config vpn ssl settings
    set reqclientcert disable
    set sslv2 disable
    set sslv3 enable
    set tlsv1-0 enable
    set tlsv1-1 enable
    set tlsv1-2 enable
    set ssl-big-buffer disable
    set ssl-insert-empty-fragment enable
    set ssl-client-renegotiation disable
    set force-two-factor-auth disable
    set servercert "STAR_arkro-it_nl"
    set algorithm default
    set idle-timeout 300
    set auth-timeout 28800
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set dns-suffix ''
    set dns-server1
    set dns-server2
    set wins-server1
    set wins-server2
    set ipv6-dns-server1 ::
    set ipv6-dns-server2 ::
    set ipv6-wins-server1 ::
    set ipv6-wins-server2 ::
    set route-source-interface disable
    set url-obscuration disable
    set http-compression disable
    set http-only-cookie enable
    set port 10443
    set port-precedence enable
    set auto-tunnel-static-route enable
    set source-interface "wan1"
    set source-address "all"
    set source-address-negate disable
    set source-address6 "all"
    set source-address6-negate disable
    set default-portal "web-access"
        config authentication-rule
            edit 1
                set groups "SSL_VPN_USERS"
                set portal "full-access"
                set realm ''
                set client-cert disable
                set cipher any
                set auth any

The odd thing that strikes me is that the traffic is blocked by the default rule. If I add the local lan to the ports to listen to (so I get the message that it listens to *and* <externalip>:10443), I can connect from the inside. So basicly everything seems to be working.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors