Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiNextDLP
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SSL VPN with External DHCP Server - No traffic flo...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL VPN with External DHCP Server - No traffic flowing back to client
I can not get this figured out. I’ve got a FortiGate running v7.2.9 (also tried with v7.2.8) and I’m trying to configure our SSL VPN to use an external DHCP Server to assign our clients IP addresses. I followed the instructions outlined here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-with-external-DHCP-Server/ta-p/215...
The SSL VPN Clients are able to connect to the VPN and do successfully obtain an IP address from our DHCP server, along with the correct DNS servers, however, the clients are not able to access anything at all once connected. The clients get assigned the proper routes to get to our internal LAN and WAN (confirmed by checking print route on the clients), so no problem there. I have firewall policies in place to allow traffic from the SSL root to the LAN and WAN. Nothing is showing up in the firewall logs as being blocked and the hit count/bytes are increasing (indicating the policies are being hit). If I disable these firewall policies, then as expected, the traffic does get blocked and shows up appropriately in the logs. So these policies seem correct.
It seems as though traffic is successfully flowing from the client, but no traffic is being returned to the client through the SSL tunnel. Anything glaring jumping out at anyone that I could be missing?
Solved! Go to Solution.
Labels:
- Labels:
-
FortiClient
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, I just figured it out. To get the DHCP GIADDR option to work I had created a Loopback Address. I had previously set the Loopback Address to 172.16.X.X/255.255.255.0.
Changing the Loopback Address to 172.16.X.X/255.255.255.255 fixed everything.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @FortiNet_Newb ,
Could you please provide the output of below while sending icmp from source to destination
diag debug flow filter add <source IP> <destination IP> and
dia de flow filter proto 1
diag debug flow show function enable
diag debug console timestamp enable
diag debug flow trace start 1000
diag debug enable
After sending traffic
dia de disable
This would clarify where the issue lies. Also make sure, there is not Geo restriction on the private traffic.
Regards,
R.S
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for assisting, here is the output I'm getting.
2024-08-22 09:02:44 id=65308 trace_id=3 func=print_pkt_detail line=5802 msg="vd-root:0 received a packet(proto=1, 172.16.7.100:1->192.168.1.40:2048) tun_id=0.0.0.0 from ssl.root. type=8, code=0, id=1, seq=40."
2024-08-22 09:02:44 id=65308 trace_id=3 func=resolve_ip_tuple_fast line=5890 msg="Find an existing session, id-000df279, original direction"
2024-08-22 09:02:44 id=65308 trace_id=3 func=ipv4_fast_cb line=53 msg="enter fast path"
2024-08-22 09:02:44 id=65308 trace_id=4 func=print_pkt_detail line=5802 msg="vd-root:0 received a packet(proto=1, 192.168.1.40:1->172.16.7.100:0) tun_id=0.0.0.0 from lan. type=0, code=0, id=1, seq=40."
2024-08-22 09:02:44 id=65308 trace_id=4 func=resolve_ip_tuple_fast line=5890 msg="Find an existing session, id-000df279, reply direction"
2024-08-22 09:02:44 id=65308 trace_id=4 func=ipv4_fast_cb line=53 msg="enter fast path"
2024-08-22 09:02:49 id=65308 trace_id=5 func=print_pkt_detail line=5802 msg="vd-root:0 received a packet(proto=1, 172.16.7.100:1->192.168.1.40:2048) tun_id=0.0.0.0 from ssl.root. type=8, code=0, id=1, seq=41."
2024-08-22 09:02:49 id=65308 trace_id=5 func=resolve_ip_tuple_fast line=5890 msg="Find an existing session, id-000df279, original direction"
2024-08-22 09:02:49 id=65308 trace_id=5 func=ipv4_fast_cb line=53 msg="enter fast path"
2024-08-22 09:02:49 id=65308 trace_id=6 func=print_pkt_detail line=5802 msg="vd-root:0 received a packet(proto=1, 192.168.1.40:1->172.16.7.100:0) tun_id=0.0.0.0 from lan. type=0, code=0, id=1, seq=41."
2024-08-22 09:02:49 id=65308 trace_id=6 func=resolve_ip_tuple_fast line=5890 msg="Find an existing session, id-000df279, reply direction"
2024-08-22 09:02:49 id=65308 trace_id=6 func=ipv4_fast_cb line=53 msg="enter fast path"
2024-08-22 09:02:54 id=65308 trace_id=7 func=print_pkt_detail line=5802 msg="vd-root:0 received a packet(proto=1, 172.16.7.100:1->192.168.1.40:2048) tun_id=0.0.0.0 from ssl.root. type=8, code=0, id=1, seq=42."
2024-08-22 09:02:54 id=65308 trace_id=7 func=resolve_ip_tuple_fast line=5890 msg="Find an existing session, id-000df279, original direction"
2024-08-22 09:02:54 id=65308 trace_id=7 func=ipv4_fast_cb line=53 msg="enter fast path"
Ther is no Geo restriction in place for this traffic.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've tried disabling the client firewall, removed the client from all GPO's, and I still cannot get this to work. Again, the client does get assigned an IP from the DHCP server, but when configured this way the client for some reason can not access any resources behind the FortiGate and the FortiGate does not log any of the denied traffic.
If I use the typical round robin method where the FortiGate assigns the IP address from a range, everything works as it should.
I should also note that connecting via IPsec with an external DHCP server works as it should too, getting this to work via SSL is the issue. I've got to be missing something obvious, but I can not find it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, I just figured it out. To get the DHCP GIADDR option to work I had created a Loopback Address. I had previously set the Loopback Address to 172.16.X.X/255.255.255.0.
Changing the Loopback Address to 172.16.X.X/255.255.255.255 fixed everything.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does this work for you with FortiClients connecting for full tunnel or only for Web Portal logins? All of the instructions I see seem to indicate this is for web portals, but perhaps I'm reading it wrong.
Created on 09-30-2024 11:49 AM Edited on 09-30-2024 11:50 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not allow the use of the web portal for SSL VPN, all of my clients can only connect via FortiClient. When using FortiClient, I can confirm this works in both split-tunnel and full-tunnel SSL VPN configurations.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Publishsing multiple Web sites using FortiGate... 148 Views
- FortiOS 7.6.0 Build3401 - RadSec TLS... 392 Views
- Restrict incoming traffic to email archive... 173 Views
- Forti vm strange request 322 Views
- FortiManager, VIP, Dynamic Address 129 Views
Labels
-
FortiGate
8,294 -
FortiClient
1,676 -
5.2
801 -
FortiManager
698 -
5.4
639 -
FortiAnalyzer
529 -
FortiSwitch
449 -
FortiAP
444 -
6.0
416 -
FortiClient EMS
386 -
5.6
362 -
FortiMail
306 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
199 -
5.0
196 -
FortiWeb
194 -
FortiNAC
171 -
IPsec
171 -
FortiGuard
132 -
6.4
128 -
SD-WAN
102 -
FortiGateCloud
100 -
FortiSIEM
96 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
78 -
Wireless Controller
76 -
Customer Service
75 -
Firewall policy
67 -
4.0MR3
64 -
FortiProxy
55 -
FortiADC
51 -
Fortivoice
50 -
FortiEDR
50 -
High Availability
47 -
vlan
46 -
ZTNA
44 -
FortiExtender
43 -
FortiDNS
42 -
FortiSandbox
41 -
Routing
37 -
DNS
37 -
BGP
36 -
FortiGate v5.4
35 -
LDAP
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Interface
31 -
SSO
29 -
NAT
29 -
FortiConnect
28 -
Authentication
28 -
RADIUS
26 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Application control
22 -
Virtual IP
22 -
Web profile
22 -
Logging
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
FortiPAM
18 -
Traffic shaping
17 -
SSL SSH inspection
16 -
FortiDDoS
15 -
FortiGate v5.0
14 -
OSPF
14 -
IP address management - IPAM
14 -
SSID
13 -
WAN optimization
13 -
FortiSOAR
12 -
FortiCASB
12 -
SNMP
12 -
Admin
12 -
Static route
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
Automation
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
FortiBridge
8 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
Proxy policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
Explicit proxy
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
API
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1624 | |
| 1056 | |
| 749 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.