I can not get this figured out. I’ve got a FortiGate running v7.2.9 (also tried with v7.2.8) and I’m trying to configure our SSL VPN to use an external DHCP Server to assign our clients IP addresses. I followed the instructions outlined here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-with-external-DHCP-Server/ta-p/215...
The SSL VPN Clients are able to connect to the VPN and do successfully obtain an IP address from our DHCP server, along with the correct DNS servers, however, the clients are not able to access anything at all once connected. The clients get assigned the proper routes to get to our internal LAN and WAN (confirmed by checking print route on the clients), so no problem there. I have firewall policies in place to allow traffic from the SSL root to the LAN and WAN. Nothing is showing up in the firewall logs as being blocked and the hit count/bytes are increasing (indicating the policies are being hit). If I disable these firewall policies, then as expected, the traffic does get blocked and shows up appropriately in the logs. So these policies seem correct.
It seems as though traffic is successfully flowing from the client, but no traffic is being returned to the client through the SSL tunnel. Anything glaring jumping out at anyone that I could be missing?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
OK, I just figured it out. To get the DHCP GIADDR option to work I had created a Loopback Address. I had previously set the Loopback Address to 172.16.X.X/255.255.255.0.
Changing the Loopback Address to 172.16.X.X/255.255.255.255 fixed everything.
Hello @FortiNet_Newb ,
Could you please provide the output of below while sending icmp from source to destination
diag debug flow filter add <source IP> <destination IP> and
dia de flow filter proto 1
diag debug flow show function enable
diag debug console timestamp enable
diag debug flow trace start 1000
diag debug enable
After sending traffic
dia de disable
This would clarify where the issue lies. Also make sure, there is not Geo restriction on the private traffic.
Regards,
R.S
Thanks for assisting, here is the output I'm getting.
2024-08-22 09:02:44 id=65308 trace_id=3 func=print_pkt_detail line=5802 msg="vd-root:0 received a packet(proto=1, 172.16.7.100:1->192.168.1.40:2048) tun_id=0.0.0.0 from ssl.root. type=8, code=0, id=1, seq=40."
2024-08-22 09:02:44 id=65308 trace_id=3 func=resolve_ip_tuple_fast line=5890 msg="Find an existing session, id-000df279, original direction"
2024-08-22 09:02:44 id=65308 trace_id=3 func=ipv4_fast_cb line=53 msg="enter fast path"
2024-08-22 09:02:44 id=65308 trace_id=4 func=print_pkt_detail line=5802 msg="vd-root:0 received a packet(proto=1, 192.168.1.40:1->172.16.7.100:0) tun_id=0.0.0.0 from lan. type=0, code=0, id=1, seq=40."
2024-08-22 09:02:44 id=65308 trace_id=4 func=resolve_ip_tuple_fast line=5890 msg="Find an existing session, id-000df279, reply direction"
2024-08-22 09:02:44 id=65308 trace_id=4 func=ipv4_fast_cb line=53 msg="enter fast path"
2024-08-22 09:02:49 id=65308 trace_id=5 func=print_pkt_detail line=5802 msg="vd-root:0 received a packet(proto=1, 172.16.7.100:1->192.168.1.40:2048) tun_id=0.0.0.0 from ssl.root. type=8, code=0, id=1, seq=41."
2024-08-22 09:02:49 id=65308 trace_id=5 func=resolve_ip_tuple_fast line=5890 msg="Find an existing session, id-000df279, original direction"
2024-08-22 09:02:49 id=65308 trace_id=5 func=ipv4_fast_cb line=53 msg="enter fast path"
2024-08-22 09:02:49 id=65308 trace_id=6 func=print_pkt_detail line=5802 msg="vd-root:0 received a packet(proto=1, 192.168.1.40:1->172.16.7.100:0) tun_id=0.0.0.0 from lan. type=0, code=0, id=1, seq=41."
2024-08-22 09:02:49 id=65308 trace_id=6 func=resolve_ip_tuple_fast line=5890 msg="Find an existing session, id-000df279, reply direction"
2024-08-22 09:02:49 id=65308 trace_id=6 func=ipv4_fast_cb line=53 msg="enter fast path"
2024-08-22 09:02:54 id=65308 trace_id=7 func=print_pkt_detail line=5802 msg="vd-root:0 received a packet(proto=1, 172.16.7.100:1->192.168.1.40:2048) tun_id=0.0.0.0 from ssl.root. type=8, code=0, id=1, seq=42."
2024-08-22 09:02:54 id=65308 trace_id=7 func=resolve_ip_tuple_fast line=5890 msg="Find an existing session, id-000df279, original direction"
2024-08-22 09:02:54 id=65308 trace_id=7 func=ipv4_fast_cb line=53 msg="enter fast path"
Ther is no Geo restriction in place for this traffic.
I've tried disabling the client firewall, removed the client from all GPO's, and I still cannot get this to work. Again, the client does get assigned an IP from the DHCP server, but when configured this way the client for some reason can not access any resources behind the FortiGate and the FortiGate does not log any of the denied traffic.
If I use the typical round robin method where the FortiGate assigns the IP address from a range, everything works as it should.
I should also note that connecting via IPsec with an external DHCP server works as it should too, getting this to work via SSL is the issue. I've got to be missing something obvious, but I can not find it.
OK, I just figured it out. To get the DHCP GIADDR option to work I had created a Loopback Address. I had previously set the Loopback Address to 172.16.X.X/255.255.255.0.
Changing the Loopback Address to 172.16.X.X/255.255.255.255 fixed everything.
Does this work for you with FortiClients connecting for full tunnel or only for Web Portal logins? All of the instructions I see seem to indicate this is for web portals, but perhaps I'm reading it wrong.
Created on 09-30-2024 11:49 AM Edited on 09-30-2024 11:50 AM
I do not allow the use of the web portal for SSL VPN, all of my clients can only connect via FortiClient. When using FortiClient, I can confirm this works in both split-tunnel and full-tunnel SSL VPN configurations.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.