Hi,
I have the szenario that a ssl vpn (tunnel and web mode) is reachable at both wan ports that are connected to the internet. Since 5.2.4 I cannot reach the portal using wan1, but at wan2. A packet sniffer shows only a syn, but no ack.
So, a simple https://public.wan1.ip failes, but https://public.wan2.ip works.
If this a known issue? I plan to downgrade to 5.2.3 for testing and to reconfigure the fgt using a factory default, but not during the productive time.
FGT110C with 5.2.4
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hm, in both cases a session is established... (I think my filter wasn't the best one, so we see the incoming direction, only).
So an ACK should be sent, but you said, the client didn't receive an ACK...
Maybe a routing issue? Can you check this with the packet sniffer:
diag sniffer packet any 'port 10443' 4
Sylvia
Hey,
according to Re: FortiOS v5.2.4 is out.... there are some connection issues with v5.2.4.
But just to make sure: can you ping wan1?
Maybe you will see more information in the debug flow:
diag deb ena
diag deb flow sho con ena
diag deb flow filter dport 443
diag deb flow filter daddr <ip-of-wan1>
diag deb flow trace start 10
Now try to connect again and see what happens...
Sylvia
Not much :) I have changed the port to 10443, because 443 has to much other traffic at the moment, but the result is the same. 2 tries, wan1 and wan2...
2015-07-29 12:15:35 id=20085 trace_id=95 msg="vd-root received a packet(proto=6, ext.ip.foo.bar:57781->wan1.ip.foo.bar:10443) from wan1. flag, seq 2536741931, ack 0, win 64240"
2015-07-29 12:15:35 id=20085 trace_id=95 msg="allocate a new session-0027ca31"
2015-07-29 12:15:38 id=20085 trace_id=96 msg="vd-root received a packet(proto=6, ext.ip.foo.bar:57781->wan1.ip.foo.bar:10443) from wan1. flag, seq 2536741931, ack 0, win 64240"
2015-07-29 12:15:38 id=20085 trace_id=96 msg="Find an existing session, id-0027ca31, original direction"
2015-07-29 12:15:44 id=20085 trace_id=97 msg="vd-root received a packet(proto=6, ext.ip.foo.bar:57781->wan1.ip.foo.bar:10443) from wan1. flag, seq 2536741931, ack 0, win 64240"
2015-07-29 12:15:44 id=20085 trace_id=97 msg="Find an existing session, id-0027ca31, original direction"
2015-07-29 12:16:10 id=20085 trace_id=98 msg="vd-root received a packet(proto=6, ext.ip.foo.bar:57810->wan2.ip.foo.bar:10443) from ppp1. flag, seq 351494270, ack 0, win 64240"
2015-07-29 12:16:10 id=20085 trace_id=98 msg="allocate a new session-0027cb8a"
2015-07-29 12:16:10 id=20085 trace_id=99 msg="vd-root received a packet(proto=6, ext.ip.foo.bar:57810->wan2.ip.foo.bar:10443) from ppp1. flag [.], seq 351494271, ack 1903287276, win 64240"
2015-07-29 12:16:10 id=20085 trace_id=99 msg="Find an existing session, id-0027cb8a, original direction"
2015-07-29 12:16:10 id=20085 trace_id=100 msg="vd-root received a packet(proto=6, ext.ip.foo.bar:57810->wan2.ip.foo.bar:10443) from ppp1. flag [.], seq 351494271, ack 1903287276, win 64240"
2015-07-29 12:16:10 id=20085 trace_id=100 msg="Find an existing session, id-0027cb8a, original direction"
2015-07-29 12:16:11 id=20085 trace_id=101 msg="vd-root received a packet(proto=6, ext.ip.foo.bar:57810->wan2.ip.foo.bar:10443) from ppp1. flag [.], seq 351494380, ack 1903288219, win 63297"
2015-07-29 12:16:11 id=20085 trace_id=101 msg="Find an existing session, id-0027cb8a, original direction"
2015-07-29 12:16:11 id=20085 trace_id=102 msg="vd-root received a packet(proto=6, ext.ip.foo.bar:57810->wan2.ip.foo.bar:10443) from ppp1. flag [F.], seq 351494566, ack 1903288266, win 63250"
2015-07-29 12:16:11 id=20085 trace_id=102 msg="Find an existing session, id-0027cb8a, original direction"
2015-07-29 12:16:11 id=20085 trace_id=103 msg="vd-root received a packet(proto=6, ext.ip.foo.bar:16878->wan2.ip.foo.bar:10443) from ppp1. flag, seq 2068041829, ack 0, win 64240"
2015-07-29 12:16:11 id=20085 trace_id=103 msg="allocate a new session-0027cb92"
2015-07-29 12:16:11 id=20085 trace_id=104 msg="vd-root received a packet(proto=6, ext.ip.foo.bar:16878->wan2.ip.foo.bar:10443) from ppp1. flag [.], seq 2068041830, ack 1010721064, win 64240"
2015-07-29 12:16:11 id=20085 trace_id=104 msg="Find an existing session, id-0027cb92, original direction"
Hm, in both cases a session is established... (I think my filter wasn't the best one, so we see the incoming direction, only).
So an ACK should be sent, but you said, the client didn't receive an ACK...
Maybe a routing issue? Can you check this with the packet sniffer:
diag sniffer packet any 'port 10443' 4
Sylvia
Hmm... f... you are right.
22.497665 wan1 in ext.ip.foo.bar.65104 -> wan1.ip.foo.bar.10443: syn 582187818
22.497760 ppp1 out wan1.ip.foo.bar.10443 -> ext.ip.foo.bar.65104: syn 1750013977 ack 582187819
25.479696 wan1 in ext.ip.foo.bar.65104 -> wan1.ip.foo.bar.10443: syn 582187818
25.479733 ppp1 out wan1.ip.foo.bar.10443 -> ext.ip.foo.bar.65104: syn 1750013977 ack 582187819
Thank's, that was it. I changed the priority of one wan port back to 1, but I have no idea why this has changed.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.