Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
earthlab
New Contributor III

SSL VPN on vne-tunnel issues after upgrade to 7.2.5

This issue is similar to Article Id:261221.
On FortiOS 7.2.4 ,SSL-vpn with vne-tunnel is worked.
But after upgrade to 7.2.5(FortiOS v7.2.5 build1517), ssl-vpn port doesn't answer to any request.
* FortiClient or Browser request was reached to FG,(the request packet caputerd on the vne.root ,But FortiGate doesn't answerd.)

1 Solution
earthlab
New Contributor III

Hi guys!

 

I have a good news.

This issue has been resolved in FortiOS 7.2.6.

after update to 7.2.6, my fortigate 60F's SSL-VPN function recoverd.

View solution in original post

10 REPLIES 10
earthlab
New Contributor III

After downgrade to FortiOS 7.2.4, SSL-VPN is re-working.
Note: The version has security issue(CVE-2023-27997).

I Don't recommend.

Anyone else having this problem?

Toshi_Esumi
SuperUser
SuperUser

Do you have backup config for both 7.2.4 and 7.2.5? Then do you see any difference under "config vpn ssl settings" and "config vpn ssl web portal"?

 

Toshi

earthlab
New Contributor III

Hi @Toshi_Esumi 
I checked both configuration, The section was same.

From 7.2.4 and 7.2.5 config.

------------------------------------------

config vpn ssl web portal
edit "full-access"
set tunnel-mode enable
set ipv6-tunnel-mode enable
set web-mode enable
set forticlient-download disable
set auto-connect enable
set keep-alive enable
set save-password enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set split-tunneling disable
set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
config bookmark-group
edit "gui-bookmarks"
next
end
next
edit "web-access"
next
edit "tunnel-access"
set ipv6-tunnel-mode enable
set forticlient-download disable
set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
next
end
config vpn ssl settings
set servercert "gw"
set idle-timeout 3600
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set dns-server1 8.8.8.8
set port 10298
set source-interface "vne.root"
set source-address "japan"
set default-portal "full-access"
end

------------------------------------------

Note: I add temporary "set status disable" to "config vpn ssl settings" after I found this issue.

 

earthlab

Toshi_Esumi
SuperUser
SuperUser

So you're using geo-blocking/allowing for SSL VPN source IPs (only to japan?). Then my guess is something might not have been working properly about the goe IPs. I don't know how exactly it would work but I think it needs to ask FortiGuard.

If you can afford going back to 7.2.5 again for test purpose, you can try removing geo-IP restriction if that is the culprit.

 

Toshi

earthlab
New Contributor III

Thakyou for your advice.
Yes, I limitted source IPs.
And I already tried the following "NOT Limited source" config with 7.2.5 , But still not worked. So I guess its not Related GeoIP function.
-----
config vpn ssl settings
set servercert "gw"
set idle-timeout 3600
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set dns-server1 8.8.8.8
set port 10298
set source-interface "vne.root"
set source-address "all"
set source-address6 "all"
set default-portal "full-access"
end
-----
earthlab

Mbr77
New Contributor

Hi,
I have the same issue, I can reach all lan servers but cannot reach FG login screen, it can be done only with web mode via https.
Does anyone have a fix for it?

securityGP
New Contributor

I had similar issue. But no solution yet
I can login(from tunnel & web) pretty well in version 7.2.3, but after upgrade to 7.2.5, SSL-VPN can't authenticate, after downgrade to 7.24, work well.

If you are investigating this issue, I've a tip for you:
I suspect something about "SSL VPN Realm check", I did some tests with Fortinet Support and identified some strange situations.
Go to: 
https://[FORTIGATE_IP]/ng/vpn/ssl/realms/edit/YOUR_REALM
and check if YOUR_REALM is listed below and with the ip of listen interfaces.

Captura de Tela 2023-08-28 às 10.46.22.png


Check this information before and after upgrade to 7.2.5. Try to create a new realm after upgrade too.

I gonna check this in my environment , but need a windows schedule firstly.

Hope this help you, and I came back with news later.

securityGP

Hey guys!

I tried to upgrade again and this time I got to put SSL VPN to work again.
But honestly I don’t know exactly how I did this, anyway I gonna share some steps that I did.

1 - After upgrade the firmware the same issue came back...I can't authenticate, every time I receive  "Invalid Credentials" and Android clients can't reach the server.

2 - So I decide check the "Realms" and everything appears well, but I created a new "Realm" to check if it works because I saw some error in logs to map "realms", I set a "Virtual Host", I set the realm to an already existing "Portal" and "Group".

3 - After this, I could connect again to this new "Realm"

4 - So I decide to re-create all realms, but in the middle of the process I tried to connect again to others "realms" and all of then expect the new "Realm" return this screen:

Captura de Tela 2023-08-29 às 23.32.23.png

 5 - I thought this was the solution, but when I decide to keep creating news realms, for some reason a I decide to delete the new one that I've created and the "Access Denied" screen goes over and the old realms back to work again.

But now I've a new bug :
https://community.fortinet.com/t5/FortiGate/Technical-Tip-EAP-Proxy-consuming-high-CPU-after-upgrade...

earthlab
New Contributor III

Hi guys!

I found a note in  FortiOS Release Notes 7.2.5 , known section ,SSL VPN.

https://docs.fortinet.com/document/fortigate/7.2.5/fortios-release-notes/236526/known-issues

Bug ID 922446, I knew this issie, but there is no information about vne ,when I checked the page.maybe this is an update information.

There is a workaround, but it is only for PPPoE.

I can't set option in 'config system interface' for vne(IPoE).
Maybey we have to wait for fixed this issue.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors