Hi. I'm trying to fix my SSL VPN connection. It was working before. Then I was changing my config to NAT+Transparent mode. After some changes in config - VPN client couldn't connect and was stuck at 98%. I've manage to fix this by reinstalling FortiClient. After this I could connect to VPN but then had some issues with accessing internal IP of Fortigate. I tried rebooting firewall, then rebooting my computer. It didn't help and also after this I couldn't connect via VPN at all. It was dropping at 10% with error "Unable to establish the VPN connection. The VPN server may be unreachable" I've tried debugging the problem and found this: id=20085 trace_id=3 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, x.x.x.x:7058->y.y.y.y:10443) from port16. flag (S), seq 4236534017, ack 0, win 8192" id=20085 trace_id=3 func=init_ip_session_common line=4527 msg="allocate a new session-00002b07" id=20085 trace_id=3 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop" id=20085 trace_id=4 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, x.x.x.x:7058->y.y.y.y:10443) from port16. flag (S), seq 4236534017, ack 0, win 8192" id=20085 trace_id=4 func=init_ip_session_common line=4527 msg="allocate a new session-00002b08" id=20085 trace_id=4 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop" Seems like something is dropping this traffic.. func=fw_local_in_handler seems like a "Local In" policy. So I've tried adding this: config firewall local-in-policy edit 1 set intf "port16" set srcaddr "all" set dstaddr "all" set action accept set service "SSLVPN" set schedule "always" next end But it doesn't work. Any suggestions? Like I said - it's strange that it stopped working because from my perspective nothing has changed regarding SSLVPN config.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I am having the same problem and no luck, any ideas on this, Bty is still a problem on version 5.2.4
config vpn ssl settings
(settings) # show
config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "VPN_range"
set port 443
set source-interface "wan1"
set source-address "all"
set source-address6 "all"
set default-portal "tunnel-access"
config authentication-rule
edit 1
set groups "Security"
set portal "full-access"
next
end
end
(settings) #
Hi,
I don't know why you are creating a local-in policy. It should be created automatically.
Check the SSLVPN settings whether you have your interface enalbed under the Listen on Interface(s) setting.
After that check the Policy -> Local-In whether you can see the SSLVPN port (in my case 443) open on the selected interface - see the attached image. (I put another interface which is in UP state into the SSLVPN settings and it is visible in the local-in policy).
Also be sure that you have policy from ssl interface (default ssl.root) with a user group defined and also you have routing set to this interface.
AtiT
Hello,
May I know the firmware version running on the device?
Do you have dual WAN scenario?
Also, do check the HTTPS management access of the same WAN interface where the SSL-VPN isn't working.
id=20085 trace_id=3 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
The above error means that that there is no firewall policy to match this traffic, so it drops by policy 0 (implicit). You need a wan1->ssl.root authentication policy where you configure the usergroup..
config vpn ssl settings set servercert "Fortinet_Factory" set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set dns-server1 x.x.x.x set source-interface "wan1" set source-address "all" set default-portal "full-access" config authentication-rule edit 1 set source-interface "wan1" set source-address "all" set groups "Your SSL group" set portal "Your configured_SSL_Portal" end end
thx,
yiannis
ykonstantakopoulos@crypteianetworks.com wrote:id=20085 trace_id=3 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
The above error means that that there is no firewall policy to match this traffic, so it drops by policy 0 (implicit). You need a wan1->ssl.root authentication policy where you configure the usergroup..
config vpn ssl settings set servercert "Fortinet_Factory" set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set dns-server1 x.x.x.x set source-interface "wan1" set source-address "all" set default-portal "full-access" config authentication-rule edit 1 set source-interface "wan1" set source-address "all" set groups "Your SSL group" set portal "Your configured_SSL_Portal" end end
thx,
yiannis
Thanks so much for this, just wanted to leave a note, on 5.2.5 (don't know if version specific), changing the source interface from the gui doesn't change the authentication rule, I had to edit it within the CLI.
And that is how I have it done. Still - it's not working. Stops at 10%.
I had the stopping @ 98% problem which was resolved by disabling ipv6 on my ethernet adapter on the laptop.
You can try that and looking at the error in the debug, is the listening interface the same as the one which has a wan -> sslvpn policy with the user? Looks like it just can't find that policy.
Created on 09-29-2015 12:53 PM
Let's see if this issue is the firewall or the client. Try connecting to [link]https://108.30.199.87:10443[/link]
user: test
pass: testuser
You won't be able to access anything. The goal is to see how far along your client gets.
Let us know.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.