Hi all
Have a strange problem with SSL VPN not answering. Have set it up multiple times on other system but only with only one WAN IP. Problem here i think is that it listens on all WAN IP's (11 Wan IPs). Everything is standard otherwise than the port (444) but the service doesn't answer. It's a FG81 running 7.2.5
Best regards
Henrik
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @H3nrikP,
- Please run the following debug flows and try again.
di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter port 444
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable
- Run 'di deb dis' to disable the debug.
- Please also make sure you have a firewall policy configured for ssl.root to your internal network.
Regards,
Example output:
Smough-kvm76 # show full vpn ssl setting | grep source
set source-interface "port1"
set source-address "all"
set source-address-negate disable
set source-address6 "all"
set source-address6-negate disable
set auth-session-check-source-ip enable
Hi hbac
I tried different ports as well, but still the same.
Source address negate is disabled as you can see.
I am wondering about VIP. Some of them are configured with WAN as the interface and some are 'any' (Both things works), but all have specific ports mapped and as I said, they work fine. Can this influence? Also, do i need to have the IP adresses present on the WAN interface to get VIP working? Maybe it's just confused because there's so many of them :)
Best regards
Henrik
Hi @H3nrikP,
- Please run the following debug flows and try again.
di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter port 444
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable
- Run 'di deb dis' to disable the debug.
- Please also make sure you have a firewall policy configured for ssl.root to your internal network.
Regards,
Hi hbac.
I checked the firewall rules as the first thing and discovered I made an error pointing to the wrong interface as source..
Everything works now :) Cudos for your big help :)
Regards
Henrik
Hi,
A debug flow filter can also indicate if there is a VIP being configured to use this port, most probably we will see a iprope check failure on the output.
#diag de flow filter addr x.x.x.x -->public ip
#diag de flow filter port 444
#diag de flow show iprope enable
#diag de flow show function-name enable
#diag de flow trace start 100
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.