Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: SSL VPN with External DHCP Server - No traffic...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL VPN with External DHCP Server - No traffic flowing back to client
I can not get this figured out. I’ve got a FortiGate running v7.2.9 (also tried with v7.2.8) and I’m trying to configure our SSL VPN to use an external DHCP Server to assign our clients IP addresses. I followed the instructions outlined here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-with-external-DHCP-Server/ta-p/215...
The SSL VPN Clients are able to connect to the VPN and do successfully obtain an IP address from our DHCP server, along with the correct DNS servers, however, the clients are not able to access anything at all once connected. The clients get assigned the proper routes to get to our internal LAN and WAN (confirmed by checking print route on the clients), so no problem there. I have firewall policies in place to allow traffic from the SSL root to the LAN and WAN. Nothing is showing up in the firewall logs as being blocked and the hit count/bytes are increasing (indicating the policies are being hit). If I disable these firewall policies, then as expected, the traffic does get blocked and shows up appropriately in the logs. So these policies seem correct.
It seems as though traffic is successfully flowing from the client, but no traffic is being returned to the client through the SSL tunnel. Anything glaring jumping out at anyone that I could be missing?
Solved! Go to Solution.
Labels:
- Labels:
-
FortiClient
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, I just figured it out. To get the DHCP GIADDR option to work I had created a Loopback Address. I had previously set the Loopback Address to 172.16.X.X/255.255.255.0.
Changing the Loopback Address to 172.16.X.X/255.255.255.255 fixed everything.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @FortiNet_Newb ,
Could you please provide the output of below while sending icmp from source to destination
diag debug flow filter add <source IP> <destination IP> and
dia de flow filter proto 1
diag debug flow show function enable
diag debug console timestamp enable
diag debug flow trace start 1000
diag debug enable
After sending traffic
dia de disable
This would clarify where the issue lies. Also make sure, there is not Geo restriction on the private traffic.
Regards,
R.S
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for assisting, here is the output I'm getting.
2024-08-22 09:02:44 id=65308 trace_id=3 func=print_pkt_detail line=5802 msg="vd-root:0 received a packet(proto=1, 172.16.7.100:1->192.168.1.40:2048) tun_id=0.0.0.0 from ssl.root. type=8, code=0, id=1, seq=40."
2024-08-22 09:02:44 id=65308 trace_id=3 func=resolve_ip_tuple_fast line=5890 msg="Find an existing session, id-000df279, original direction"
2024-08-22 09:02:44 id=65308 trace_id=3 func=ipv4_fast_cb line=53 msg="enter fast path"
2024-08-22 09:02:44 id=65308 trace_id=4 func=print_pkt_detail line=5802 msg="vd-root:0 received a packet(proto=1, 192.168.1.40:1->172.16.7.100:0) tun_id=0.0.0.0 from lan. type=0, code=0, id=1, seq=40."
2024-08-22 09:02:44 id=65308 trace_id=4 func=resolve_ip_tuple_fast line=5890 msg="Find an existing session, id-000df279, reply direction"
2024-08-22 09:02:44 id=65308 trace_id=4 func=ipv4_fast_cb line=53 msg="enter fast path"
2024-08-22 09:02:49 id=65308 trace_id=5 func=print_pkt_detail line=5802 msg="vd-root:0 received a packet(proto=1, 172.16.7.100:1->192.168.1.40:2048) tun_id=0.0.0.0 from ssl.root. type=8, code=0, id=1, seq=41."
2024-08-22 09:02:49 id=65308 trace_id=5 func=resolve_ip_tuple_fast line=5890 msg="Find an existing session, id-000df279, original direction"
2024-08-22 09:02:49 id=65308 trace_id=5 func=ipv4_fast_cb line=53 msg="enter fast path"
2024-08-22 09:02:49 id=65308 trace_id=6 func=print_pkt_detail line=5802 msg="vd-root:0 received a packet(proto=1, 192.168.1.40:1->172.16.7.100:0) tun_id=0.0.0.0 from lan. type=0, code=0, id=1, seq=41."
2024-08-22 09:02:49 id=65308 trace_id=6 func=resolve_ip_tuple_fast line=5890 msg="Find an existing session, id-000df279, reply direction"
2024-08-22 09:02:49 id=65308 trace_id=6 func=ipv4_fast_cb line=53 msg="enter fast path"
2024-08-22 09:02:54 id=65308 trace_id=7 func=print_pkt_detail line=5802 msg="vd-root:0 received a packet(proto=1, 172.16.7.100:1->192.168.1.40:2048) tun_id=0.0.0.0 from ssl.root. type=8, code=0, id=1, seq=42."
2024-08-22 09:02:54 id=65308 trace_id=7 func=resolve_ip_tuple_fast line=5890 msg="Find an existing session, id-000df279, original direction"
2024-08-22 09:02:54 id=65308 trace_id=7 func=ipv4_fast_cb line=53 msg="enter fast path"
Ther is no Geo restriction in place for this traffic.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've tried disabling the client firewall, removed the client from all GPO's, and I still cannot get this to work. Again, the client does get assigned an IP from the DHCP server, but when configured this way the client for some reason can not access any resources behind the FortiGate and the FortiGate does not log any of the denied traffic.
If I use the typical round robin method where the FortiGate assigns the IP address from a range, everything works as it should.
I should also note that connecting via IPsec with an external DHCP server works as it should too, getting this to work via SSL is the issue. I've got to be missing something obvious, but I can not find it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, I just figured it out. To get the DHCP GIADDR option to work I had created a Loopback Address. I had previously set the Loopback Address to 172.16.X.X/255.255.255.0.
Changing the Loopback Address to 172.16.X.X/255.255.255.255 fixed everything.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does this work for you with FortiClients connecting for full tunnel or only for Web Portal logins? All of the instructions I see seem to indicate this is for web portals, but perhaps I'm reading it wrong.
Created on 09-30-2024 11:49 AM Edited on 09-30-2024 11:50 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not allow the use of the web portal for SSL VPN, all of my clients can only connect via FortiClient. When using FortiClient, I can confirm this works in both split-tunnel and full-tunnel SSL VPN configurations.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,720 -
FortiClient
1,768 -
5.2
801 -
FortiManager
732 -
5.4
639 -
FortiAnalyzer
560 -
FortiSwitch
476 -
FortiAP
473 -
FortiClient EMS
435 -
6.0
416 -
5.6
362 -
FortiMail
319 -
6.2
251 -
SSL-VPN
246 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
FortiWeb
205 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
104 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
83 -
Customer Service
80 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiGate-VM
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSoar
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1717 | |
| 1093 | |
| 752 | |
| 447 | |
| 234 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.