configuring ssl vpn on firewall but after finishing, i cannot connect from outside to the internal network using Forti client vpn
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @HossTosson ,
If this router does not directly transfer the public IP address to the FortiGate, you need to perform DNAT for the ssl-vpn port on this router.
This is probably the cause of your connection problem.
sorry i am not that expert with firewall. what do you mean by DNAT?
Hello @HossTosson ,
DNAT means Destination Nat or port forwarding.
This configuration will vary depending on the brand and model of the router. If you search by typing the brand and model of your device and port forwarding or destination nat, you can see configuration examples.
and this port forwarding will be done from the router or firewall?
Hello @HossTosson ,
This should be done on the router.
also you can do the sniffer on the FortiGate with the port you are trying to connect the ssl vpn and see if the packets are coming on the FortiGate and what ip it is coming with
diag sniffer packet any ' port <port number for sslvpn> ' 4 0 l
Hello ,
Please collect the packet capture on Firewall using command while testing connection
diagnose sniffer packet any 'host [Firewall public IP address]' 4 0 l
Check that IPV6 is disabled on the user machine under Network Adapter setting
Did you confirmed firmware compatibility between fortigate and forticlient. Is this connection problem only for specific user(s) and using specific operating system. Have you tried to disable Windows firewall and other security software and test. Try different forticlient firmware versions. Compare sslvpn configuration on fortigate and foricleint and try to connect using web-mode sslvpn to confirm if this forticlient issue or configuration issue. If forticlient stuck at 10% this indicate a problem on the source PC and traffic is not leaving that PC. If forticlient stuck at %40 this mean authentication problem and you can try to add local user to sslvpn group and test. If forticlient stuck anywhere above 80% this could be connectivity problem and you can run:
diagnose vpn ssl debug-filter src-addr4 x.x.x.x <- external ip address of source PC
diagnose debug application sslvpn -1
diagnose debug enable
Check the output of the above debug commands that may help in finding the root cause.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-Troubleshooting/ta-p/189542
Hope this help
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.