Hi. I'm trying to fix my SSL VPN connection. It was working before. Then I was changing my config to NAT+Transparent mode. After some changes in config - VPN client couldn't connect and was stuck at 98%. I've manage to fix this by reinstalling FortiClient. After this I could connect to VPN but then had some issues with accessing internal IP of Fortigate. I tried rebooting firewall, then rebooting my computer. It didn't help and also after this I couldn't connect via VPN at all. It was dropping at 10% with error "Unable to establish the VPN connection. The VPN server may be unreachable" I've tried debugging the problem and found this: id=20085 trace_id=3 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, x.x.x.x:7058->y.y.y.y:10443) from port16. flag (S), seq 4236534017, ack 0, win 8192" id=20085 trace_id=3 func=init_ip_session_common line=4527 msg="allocate a new session-00002b07" id=20085 trace_id=3 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop" id=20085 trace_id=4 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, x.x.x.x:7058->y.y.y.y:10443) from port16. flag (S), seq 4236534017, ack 0, win 8192" id=20085 trace_id=4 func=init_ip_session_common line=4527 msg="allocate a new session-00002b08" id=20085 trace_id=4 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop" Seems like something is dropping this traffic.. func=fw_local_in_handler seems like a "Local In" policy. So I've tried adding this: config firewall local-in-policy edit 1 set intf "port16" set srcaddr "all" set dstaddr "all" set action accept set service "SSLVPN" set schedule "always" next end But it doesn't work. Any suggestions? Like I said - it's strange that it stopped working because from my perspective nothing has changed regarding SSLVPN config.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
So it seems to be a problem on Firewall side. Any other ideas?
SSLVPN isn't very hard to configure. In tunnel mode you need a few things:
1) Address entities (can be used to configure the SSL VPN targets)
2) Static route to ssl_root with a lower distance than the default route
3) Policy from wanx/portx to inside entity
4) The users defined either locally (easiest for testing) or through a remote authentication mechanism
5) SSL VPN enabled and configured
The first parts are straightforward. The final piece is the one requiring the most thought.
Go over those and let us know how much of that is working.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.