Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MoccaMaster
New Contributor III

SSLVPN to Azure VPN traffic not flowing

We have a setup where we connect to our Azure resources using a Site2site IPSec VPN connection, which works as expected. 

 

However, once my clients connects from Forticlient using SSLVPN, traffic does not get routed to Azure.

I have created Firewall rules that allow traffic from SSLVPN to Azure remote IP addresses.

SSLVPN splitmode is disabled, as I want all traffic over my VPN.

 

SSLVPN Clients can connect to LAN and WAN resources.

SSLVPN clients cannot connect to Azure resources. 

 

 

If someone can point me into any direction, it would be very appreciated. 

 

1 Solution
aionescu

Hi @MoccaMaster 

 

From the debug:

 

FG1 # id=20085 trace_id=4011 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 10.210.134.100:1->10.100.0.6:2048) from ssl.root. type=8, code=0, id=1, seq=461

4."

id=20085 trace_id=4011 func=resolve_ip_tuple_fast line=5905 msg="Find an existing session, id-01a4d8b0, original direction"

id=20085 trace_id=4011 func=ipv4_fast_cb line=53 msg="enter fast path"

id=20085 trace_id=4011 func=ip_session_run_all_tuple line=7142 msg="SNAT 10.210.134.100->172.16.0.1:60417"

id=20085 trace_id=4011 func=ipsecdev_hard_start_xmit line=790 msg="enter IPsec interface-AzureVPN"

id=20085 trace_id=4011 func=_ipsecdev_hard_start_xmit line=667 msg="IPsec tunnel-AzureVPN"

id=20085 trace_id=4011 func=ipsec_common_output4 line=875 msg="No matching IPsec selector, drop"

 

Can you confirm the phase2 selectors?

View solution in original post

13 REPLIES 13
Debbie_FTNT

Thanks for sharing the solution, MoccaMaster :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
babayaga67

Non-fungible tokens (NFTs) are another noteworthy development within the cryptoindustry. NFTs are unique digital assets that represent ownership or proof of authenticity of a particular item, whether it's digital art, collectibles, virtual real estate, or even tweets. NFTs have garnered immense attention in the world of art, entertainment, and gaming, creating new opportunities for creators and collectors alike.

teatime232
New Contributor

Compare the shared key for the on-premises VPN device to the Azure Virtual Network VPN to make sure that the keys match.

To view the shared key for the Azure VPN connection, use one of the following methods:

Azure portal

  1. Go to the VPN gateway site-to-site connection that you created.

  2. In the Settings section, click Shared key.

  • The IP definition in the Local Network Gateway object in Azure should match the on-premises device IP.
  • The Azure gateway IP definition that is set on the on-premises device should match the Azure gateway IP.

Check for and remove user-defined routing (UDR) or Network Security Groups (NSGs) on the gateway subnet, and then test the result. If the problem is resolved, validate the settings that UDR or NSG applied.

If the Internet-facing IP address of the VPN device is included in the Local network definition in Azure, you might experience sporadic disconnections.

The perfect forward secrecy feature can cause disconnection problems. If the VPN device has perfect forward secrecy enabled, disable the feature. Then update the VPN gateway IPsec policy.See more

MoccaMaster

@teatime232 the tunnel is working from on-premise to and from Azure servers. 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors