Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mikes789
New Contributor

Created on ‎12-08-2022 03:36 PM

SSL VPN not connecting on secondary WAN interface

Hello all!

 

Wonder if anyone can help with this issue..

 

I have a 60F running 7.2.3 and my SSL VPN works fine on WAN1 that is a static IP - both via FortiClient and web browser. 

 

I have additional 2 WAN interfaces that are PPPoE based that are also enabled for SSL VPN however they don't work via either FortiClient or web browser. FortiClient gets to 40% before dropping and Web browser states 'Connection reset'

 

Both interfaces are pingable allow me to access the admin GUI via HTTPS on an alternative port

 

The SSL VPN debug shows the following:

 

 

[249:root:1e]allocSSLConn:306 sconn 0x7f8cab1800 (0:root)
[249:root:1e]Destroy sconn 0x7f8cab1800, connSize=0. (root)
[250:root:1e]allocSSLConn:306 sconn 0x7f8cab1800 (0:root)
[250:root:1e]Destroy sconn 0x7f8cab1800, connSize=0. (root)
[251:root:1e]allocSSLConn:306 sconn 0x7f8cab1800 (0:root)
[251:root:1e]Destroy sconn 0x7f8cab1800, connSize=0. (root)
[252:root:1e]allocSSLConn:306 sconn 0x7f8cab1800 (0:root)
[252:root:1e]Destroy sconn 0x7f8cab1800, connSize=0. (root)
[246:root:1f]allocSSLConn:306 sconn 0x7f8cab1800 (0:root)
[246:root:1f]Destroy sconn 0x7f8cab1800, connSize=0. (root)

 

 

Hoping that someone can give me a clue as to why this is happening.

 

TIA for any guidance

 

 

Labels:
2238
0 Kudos
2 REPLIES 2
kiri
Staff
Staff

Created on ‎12-09-2022 12:32 AM

hey there,

The debug above is only saying that an ssl sessions cannot be established / it's torn down.
That can be due to many reasons.
You need to check what other messages debug is showing.
1. I would start with a sniffer to see if your connection attempt arrives at the firewall.
diagnose sniffer packet any 'host <client public ip> and tcp port <ssl vpn port>' 4 0 a

2. If there is 2 way traffic, check if you match the correct policy.
diag debug flow filter addr <IPADDRESSOFTHECLIENT>
diag debug console timestamp enable
diag debug flow show iprope enable
diag debug flow show function-name enable
diag debug enable
diag debug flow trace start 100

(di de di - to stop it)

3. If you're matching the correct policy then you can run some sslvpn debug.

diag debug reset
diagnose debug cons time en
diag debug application fnbamd -1
diagnose debug app sslvpn -1
dia vpn ssl debug-filter src-addr4 x.x.x.x
diagnose debug enable

(di de di - to stop it)

That should show some more details. See if you can spot the reason.
And review your config.
You can quickly compare the working one with the nonworking one side by side, check: user, group, auth server, firewall policy, ssl vpn settings, ssl vpn rules, portals/realms.
That should help you to spot a config issue if there is one.

Hope this helps. Let me know how it goes.

2221
0 Kudos
Yurisk
SuperUser
SuperUser

Created on ‎12-09-2022 08:28 AM

  1. Make sure you see default gateway routes (0.0.0.0) for all interfaces in # get router info routing all
  2. Enable replying from the same interface, as described here https://community.fortinet.com/t5/Support-Forum/SSL-VPN-dual-interface/td-p/212882
  3. Make sure your authentication rule sin SSL VPN settings are not limiting access to just a single interface # show vpn ssl settings 
Yuri Slobodyanyuk
Yuri Slobodyanyuk
2205
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.