Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
VernalCityIT
New Contributor

Created on ‎01-06-2025 09:33 AM

SSL-VPN not allowing IPv6 connections after setting to "Limit access to specific hosts"

I am attempting to limit access to our SSL-VPN to only specific IP addresses.  It works great for IPv4, but any clients on AT&T mobile internet don't work because they receive an IPv6 public IP address. 

 

Firewallsetting.jpg

 

I tried adding the public IPv6 addresses to the allowed hosts but it still will not allow the connection it just says "Unable to establish the VPN connection.  The VPN server my be unreachable"

 

For troubleshooting I added the "all" IPv6 addresses object to the allowed addresses group but it still will not allow a connection.  

 

I can't find in the logs were these blocked connections would be so that I can troubleshoot the issue.

 

My questions are:

Is there something else I need to do in the settings on the FortiGate-101F to allow these IPv6 connections?

Where would I find the logs of connections blocked by the "Limit access to specific hosts" setting?

Labels:
618
0 Kudos
1 Solution
Dhruvin_patel
Staff
Staff
In response to VernalCityIT

Created on ‎01-06-2025 02:17 PM

Greetings! 

 

This is case once the user get connected with IPv6, can you share the output of 

 get vpn ssl monitor

 

The interface shouldn't accept the connection if no IPv6 address is assigned to the listening interface configured in SSL VPN settings. 

 

 

 

Dhruvin Patel

View solution in original post

541
0 Kudos
7 REPLIES 7
dingjerry_FTNT
Staff
Staff

Created on ‎01-06-2025 10:20 AM

Hi @VernalCityIT ,

 

What interface on your FGT is listening SSL VPN connection? Do you have an IPv6 IP assigned to this interface?

Regards,

Jerry
607
0 Kudos
VernalCityIT
New Contributor
In response to dingjerry_FTNT

Created on ‎01-06-2025 10:25 AM

It's a standard ethernet 1GBs IPv4 connection to our local ISP.  Our local ISP does not offer IPv6 addresses as far as I know.  But I would not think that would be an issue as It worked fine before I started restricting the addresses.

 

But, I could reach out to the ISP and see if they can give us an IPv6 address, if you think that would help.

602
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to VernalCityIT

Created on ‎01-06-2025 10:29 AM

Hi @VernalCityIT ,

 

Do you mean, that when there was no restricted address configured, the IPv6 end-user was able to connect to SSL VPN?

 

I don't think so.  If there is no IPv6 IP assigned to the interface listening to the SSL VPN connection, the interface will not accept the IPv6 SSL VPN connection.

Regards,

Jerry
598
0 Kudos
VernalCityIT
New Contributor
In response to dingjerry_FTNT

Created on ‎01-06-2025 10:39 AM

Yes when I had the setting like the image below IPv6 clients connected fine.

Firewallsetting2.jpg

 

592
0 Kudos
Dhruvin_patel
Staff
Staff
In response to VernalCityIT

Created on ‎01-06-2025 02:17 PM

Greetings! 

 

This is case once the user get connected with IPv6, can you share the output of 

 get vpn ssl monitor

 

The interface shouldn't accept the connection if no IPv6 address is assigned to the listening interface configured in SSL VPN settings. 

 

 

 

Dhruvin Patel
542
0 Kudos
VernalCityIT
New Contributor
In response to Dhruvin_patel

Created on ‎01-06-2025 03:16 PM

I don't want to post the output of that command on a public forum because it shows our ip addresses but it appears you were right.

 

Even though whatsmyip showed an IPv6 address it is connecting to the VPN using an IPv4 address that I was able to get using that command.  If I put it in the allowed IPs group I am able to connect.  

This gives me enough information to solve my problem.  

Thank you!

507
0 Kudos
Dhruvin_patel
Staff
Staff
In response to VernalCityIT

Created on ‎01-07-2025 02:40 PM

Perfect!

 

That means it is connecting with IPv4 and if you restrict that IPv4 address, it will not allow to form a sslvpn connection.

 

I'm glad you got the answer.

 

Best Regards!

Dhruvin Patel
450
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.