SSLVPN stops at 10%

LK_KT · ‎07-15-2015

Hi. I'm trying to fix my SSL VPN connection. It was working before. Then I was changing my config to NAT+Transparent mode. After some changes in config - VPN client couldn't connect and was stuck at 98%. I've manage to fix this by reinstalling FortiClient. After this I could connect to VPN but then had some issues with accessing internal IP of Fortigate. I tried rebooting firewall, then rebooting my computer. It didn't help and also after this I couldn't connect via VPN at all. It was dropping at 10% with error "Unable to establish the VPN connection. The VPN server may be unreachable" I've tried debugging the problem and found this: id=20085 trace_id=3 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, x.x.x.x:7058->y.y.y.y:10443) from port16. flag (S), seq 4236534017, ack 0, win 8192" id=20085 trace_id=3 func=init_ip_session_common line=4527 msg="allocate a new session-00002b07" id=20085 trace_id=3 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop" id=20085 trace_id=4 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, x.x.x.x:7058->y.y.y.y:10443) from port16. flag (S), seq 4236534017, ack 0, win 8192" id=20085 trace_id=4 func=init_ip_session_common line=4527 msg="allocate a new session-00002b08" id=20085 trace_id=4 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop" Seems like something is dropping this traffic.. func=fw_local_in_handler seems like a "Local In" policy. So I've tried adding this: config firewall local-in-policy edit 1 set intf "port16" set srcaddr "all" set dstaddr "all" set action accept set service "SSLVPN" set schedule "always" next end But it doesn't work. Any suggestions? Like I said - it's strange that it stopped working because from my perspective nothing has changed regarding SSLVPN config.

kenneth_Compres · ‎08-20-2015

I am having the same problem and no luck, any ideas on this, Bty is still a problem on version 5.2.4

 config vpn ssl settings

 (settings) # show

config vpn ssl settings

    set servercert "Fortinet_Factory"

    set tunnel-ip-pools "VPN_range"

    set port 443

    set source-interface "wan1"

    set source-address "all"

    set source-address6 "all"

    set default-portal "tunnel-access"

        config authentication-rule

            edit 1

                set groups "Security"

                set portal "full-access"

            next

end

end

 (settings) #

AtiT · ‎08-21-2015

Hi,

I don't know why you are creating a local-in policy. It should be created automatically.

Check the SSLVPN settings whether you have your interface enalbed under the Listen on Interface(s) setting.

After that check the Policy -> Local-In whether you can see the SSLVPN port (in my case 443) open on the selected interface - see the attached image. (I put another interface which is in UP state into the SSLVPN settings and it is visible in the local-in policy).

Also be sure that you have policy from ssl interface (default ssl.root) with a user group defined and also you have routing set to this interface.

AtiT

vjoshi_FTNT · ‎08-24-2015

Hello,

May I know the firmware version running on the device?

Do you have dual WAN scenario?

Also, do check the HTTPS management access of the same WAN interface where the SSL-VPN isn't working.

ykonstantakopoulos · ‎08-25-2015

id=20085 trace_id=3 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"

The above error means that that there is no firewall policy to match this traffic, so it drops by policy 0 (implicit). You need a wan1->ssl.root authentication policy where you configure the usergroup..

config vpn ssl settings set servercert "Fortinet_Factory" set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set dns-server1 x.x.x.x set source-interface "wan1" set source-address "all" set default-portal "full-access" config authentication-rule edit 1 set source-interface "wan1" set source-address "all" set groups "Your SSL group" set portal "Your configured_SSL_Portal" end end

thx,

yiannis

aseques · ‎02-03-2016

ykonstantakopoulos@crypteianetworks.com wrote:
id=20085 trace_id=3 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"

The above error means that that there is no firewall policy to match this traffic, so it drops by policy 0 (implicit). You need a wan1->ssl.root authentication policy where you configure the usergroup..

config vpn ssl settings set servercert "Fortinet_Factory" set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set dns-server1 x.x.x.x set source-interface "wan1" set source-address "all" set default-portal "full-access" config authentication-rule edit 1 set source-interface "wan1" set source-address "all" set groups "Your SSL group" set portal "Your configured_SSL_Portal" end end

thx,

yiannis

Thanks so much for this, just wanted to leave a note, on 5.2.5 (don't know if version specific), changing the source interface from the gui doesn't change the authentication rule, I had to edit it within the CLI.

LK_KT · ‎09-29-2015

And that is how I have it done. Still - it's not working. Stops at 10%.

Allwyn_Mascarenhas · ‎09-29-2015

I had the stopping @ 98% problem which was resolved by disabling ipv6 on my ethernet adapter on the laptop.

You can try that and looking at the error in the debug, is the listening interface the same as the one which has a wan -> sslvpn policy with the user? Looks like it just can't find that policy.

rwpatterson · ‎09-29-2015

Let's see if this issue is the firewall or the client. Try connecting to [link]https://108.30.199.87:10443[/link]

user: test

pass: testuser

You won't be able to access anything. The goal is to see how far along your client gets.

Let us know.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

LK_KT · ‎10-02-2015

It worked, no problem on my client side.