Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

SSL traffic doesn't through into IPsec tunnel with SSL subnet

Hi Guys, 


I have seen so many threads on this topic and i followed each and everyone but no success so far. I would like to explain you my situation. I have made a tunnel (route-based) between FGT and Cisco ASA and that is working fine with no issue. I have included all my networks like local, SSL and remote in IPsec phase2 selectors and implement the policies as required. My SSL user can connect to FGT successfully and can reach my local network but cant through into the Ipsec tunnel. 


After few attempts, i have used a trick and changed my SSL subnet same as my local subnet and i got through into tunnel and SSL user can use resources on both local and remote network. BUT obviously this is not a solution which i want to see. I want to understand what is missing in my configuration. I would really appropriate any advise. 


Local Subnet -

Remote Subnet -

SSL Subnet -





SSL VPN comes from ssl.root, if not vdom env, just like IPSec comes from its own interface. So you have to have a route for subnet to ssl.root and a policy from (and to if local or the other end of IPSec need to reach them) the SSL VPN clients. Probably you know this part well.

Then, the IPSec needs to carry the traffic fro/to 10.10.0/24 so ASA needs to have a proper route and policy (I'm not an ASA expert) for the same subnet. My guess is on the ASA side.




Thanks for the reply,


I have already configured routing on FGT, one static route to IPsec pointing to remote network. one static route to ssl.root pointing to polices are set from IPsec to ssl.root and from ssl.root to ipsec. 


The ipsec tunnel is up and running. i have configured a default route on ASA pointing to internet and setup a policy to allow FGT local and ssl subnet. Still cant access ipsec tunnel via ssl client. 


Only way that things works is change my ssl subnet same as local subnet then i can connect tunnel via ssl. 


I will be appreciated any advise. 




Valued Contributor III

Make sure the static route to both tunnels is lower than the default gateway distance.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at:

Bob - self proclaimed posting junkie!See my Fortigate related scripts at:

I still think the ASA doesn't route into the tunnel while packets toward are reaching ASA over the tunnel. To verify, you need to sniff packets between these subnets at the FG by disabling auto-asic-offload on the IPSec policies. You're situation is nothing different from having another router behind the FG and the router serving a separate subnet, say The router needs to know where to route to get back to

Esteemed Contributor III

The cli-cmd diag debug flow is your friend.







PCNSE NSE StrongSwan
New Contributor

Thanks guys for your comments !


I have fixed this issue. I have done following steps, 


FGT End:

- Created IPsec tunnel (Policy Based)

- Allowed policy LAN to WAN with ipsec action for site to site tunnel

- using one default route ---> WAN

- Allowed policy for SSL.root to Ipsec with action ipsec, included local and remote protected traffic


ASA End:

- Created Object group for both Local. remote and ssl

- Created access-list and allowed protected traffic

- disable NAT

- Created default route outside ---> next hop


Enjoy ! :)


Top Kudoed Authors