This issue is similar to Article Id:261221.
On FortiOS 7.2.4 ,SSL-vpn with vne-tunnel is worked.
But after upgrade to 7.2.5(FortiOS v7.2.5 build1517), ssl-vpn port doesn't answer to any request.
* FortiClient or Browser request was reached to FG,(the request packet caputerd on the vne.root ,But FortiGate doesn't answerd.)
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi guys!
I have a good news.
This issue has been resolved in FortiOS 7.2.6.
after update to 7.2.6, my fortigate 60F's SSL-VPN function recoverd.
After downgrade to FortiOS 7.2.4, SSL-VPN is re-working.
Note: The version has security issue(CVE-2023-27997).
I Don't recommend.
Anyone else having this problem?
Do you have backup config for both 7.2.4 and 7.2.5? Then do you see any difference under "config vpn ssl settings" and "config vpn ssl web portal"?
Toshi
Hi @Toshi_Esumi
I checked both configuration, The section was same.
From 7.2.4 and 7.2.5 config.
------------------------------------------
config vpn ssl web portal
edit "full-access"
set tunnel-mode enable
set ipv6-tunnel-mode enable
set web-mode enable
set forticlient-download disable
set auto-connect enable
set keep-alive enable
set save-password enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set split-tunneling disable
set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
config bookmark-group
edit "gui-bookmarks"
next
end
next
edit "web-access"
next
edit "tunnel-access"
set ipv6-tunnel-mode enable
set forticlient-download disable
set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
next
end
config vpn ssl settings
set servercert "gw"
set idle-timeout 3600
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set dns-server1 8.8.8.8
set port 10298
set source-interface "vne.root"
set source-address "japan"
set default-portal "full-access"
end
------------------------------------------
Note: I add temporary "set status disable" to "config vpn ssl settings" after I found this issue.
earthlab
So you're using geo-blocking/allowing for SSL VPN source IPs (only to japan?). Then my guess is something might not have been working properly about the goe IPs. I don't know how exactly it would work but I think it needs to ask FortiGuard.
If you can afford going back to 7.2.5 again for test purpose, you can try removing geo-IP restriction if that is the culprit.
Toshi
Thakyou for your advice.
Yes, I limitted source IPs.
And I already tried the following "NOT Limited source" config with 7.2.5 , But still not worked. So I guess its not Related GeoIP function.
-----
config vpn ssl settings
set servercert "gw"
set idle-timeout 3600
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set dns-server1 8.8.8.8
set port 10298
set source-interface "vne.root"
set source-address "all"
set source-address6 "all"
set default-portal "full-access"
end
-----
earthlab
Hi,
I have the same issue, I can reach all lan servers but cannot reach FG login screen, it can be done only with web mode via https.
Does anyone have a fix for it?
I had similar issue. But no solution yet
I can login(from tunnel & web) pretty well in version 7.2.3, but after upgrade to 7.2.5, SSL-VPN can't authenticate, after downgrade to 7.24, work well.
If you are investigating this issue, I've a tip for you:
I suspect something about "SSL VPN Realm check", I did some tests with Fortinet Support and identified some strange situations.
Go to:
https://[FORTIGATE_IP]/ng/vpn/ssl/realms/edit/YOUR_REALM
and check if YOUR_REALM is listed below and with the ip of listen interfaces.
Check this information before and after upgrade to 7.2.5. Try to create a new realm after upgrade too.
I gonna check this in my environment , but need a windows schedule firstly.
Hope this help you, and I came back with news later.
Hey guys!
I tried to upgrade again and this time I got to put SSL VPN to work again.
But honestly I don’t know exactly how I did this, anyway I gonna share some steps that I did.
1 - After upgrade the firmware the same issue came back...I can't authenticate, every time I receive "Invalid Credentials" and Android clients can't reach the server.
2 - So I decide check the "Realms" and everything appears well, but I created a new "Realm" to check if it works because I saw some error in logs to map "realms", I set a "Virtual Host", I set the realm to an already existing "Portal" and "Group".
3 - After this, I could connect again to this new "Realm"
4 - So I decide to re-create all realms, but in the middle of the process I tried to connect again to others "realms" and all of then expect the new "Realm" return this screen:
5 - I thought this was the solution, but when I decide to keep creating news realms, for some reason a I decide to delete the new one that I've created and the "Access Denied" screen goes over and the old realms back to work again.
But now I've a new bug :
https://community.fortinet.com/t5/FortiGate/Technical-Tip-EAP-Proxy-consuming-high-CPU-after-upgrade...
Hi guys!
I found a note in FortiOS Release Notes 7.2.5 , known section ,SSL VPN.
https://docs.fortinet.com/document/fortigate/7.2.5/fortios-release-notes/236526/known-issues
Bug ID 922446, I knew this issie, but there is no information about vne ,when I checked the page.maybe this is an update information.
There is a workaround, but it is only for PPPoE.
I can't set option in 'config system interface' for vne(IPoE).
Maybey we have to wait for fixed this issue.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1677 | |
1085 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.