Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
H3nrikP
New Contributor

SSLVPN not working

Hi all

 

Have a strange problem with SSL VPN not answering. Have set it up multiple times on other system but only with only one WAN IP. Problem here i think is that it listens on all WAN IP's (11 Wan IPs). Everything is standard otherwise than the port (444) but the service doesn't answer. It's a FG81 running 7.2.5

 

Best regards

 

Henrik

 

1 Solution
hbac

Hi @H3nrikP

 

- Please run the following debug flows and try again. 
di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter port 444
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable

- Run 'di deb dis' to disable the debug. 

- Please also make sure you have a firewall policy configured for ssl.root to your internal network. 

 

Regards,

View solution in original post

14 REPLIES 14
hbac

Example output: 
Smough-kvm76 # show full vpn ssl setting | grep source
set source-interface "port1"
set source-address "all"
set source-address-negate disable
set source-address6 "all"
set source-address6-negate disable
set auth-session-check-source-ip enable

H3nrikP
New Contributor

Hi hbac

 

I tried different ports as well, but still the same. 

 

Source address negate is disabled as you can see.

I am wondering about VIP. Some of them are configured with WAN as the interface and some are 'any' (Both things works), but all have specific ports mapped and as I said, they work fine. Can this influence? Also, do i need to have the IP adresses present on the WAN interface to get VIP working? Maybe it's just confused because there's so many of them :)

 

Best regards

 

Henrik

 

Capture.JPG

 

hbac

Hi @H3nrikP

 

- Please run the following debug flows and try again. 
di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter port 444
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable

- Run 'di deb dis' to disable the debug. 

- Please also make sure you have a firewall policy configured for ssl.root to your internal network. 

 

Regards,

H3nrikP
New Contributor

Hi hbac.

I checked the firewall rules as the first thing and discovered I made an error pointing to the wrong interface as source.. 

Everything works now :)  Cudos for your big help :)

 

Regards

 

Henrik

ekrishnan
Staff
Staff

 Hi,

 

A debug flow filter can also indicate if there is a VIP being configured to use this port, most probably we will see a iprope check failure on the output.

 

#diag de flow filter addr x.x.x.x -->public ip

#diag de flow filter port 444

#diag de flow show iprope enable

#diag de flow show function-name enable

#diag de flow trace start 100

EK
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors