Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ingchristo
New Contributor

Created on ‎09-04-2024 11:10 AM

SSLVPN traffic FGT1 unable to communicate FGT2

I have a LAN with 2 FGT's.  SSLVPN coming in to FGT1 can not reach FGT2 and server on FGT2.  Not sure where my issue might be.Screenshot 2024-09-04 130940.png

Labels:
446
0 Kudos
1 Solution
AEK
SuperUser
SuperUser

Created on ‎09-04-2024 11:19 AM

Did you add a route on FGT1 like this?

  • Dest: <server-subnet>
  • Port: portX
  • GW: 192.168.10.254

And on FGT2 like that?

  • Dest: 192.168.100.0/24
  • Port: portY
  • GW: 192.168.10.252

And firewall rules on both FG1 and FG2 to allow the related traffic?

AEK

View solution in original post

AEK
440
5 REPLIES 5
AEK
SuperUser
SuperUser

Created on ‎09-04-2024 11:19 AM

Did you add a route on FGT1 like this?

  • Dest: <server-subnet>
  • Port: portX
  • GW: 192.168.10.254

And on FGT2 like that?

  • Dest: 192.168.100.0/24
  • Port: portY
  • GW: 192.168.10.252

And firewall rules on both FG1 and FG2 to allow the related traffic?

AEK
AEK
441
ingchristo
New Contributor
In response to AEK

Created on ‎09-04-2024 06:38 PM

Adding these static routes did the trick.

321
0 Kudos
nathan_h
Staff
Staff

Created on ‎09-04-2024 01:25 PM

Hi ingchristo,

 

You can check the routing by the commands below.

 

get router info routing-table details <source>
get router info routing-table details <destination>

 

Run a packet capture and initiate traffic on where the packet is drop.


diag sniffer packet any 'host <source> and host <destination>' 4 0 l

 

Verify the Firewall policy based on the routing   table.

Nathan
FCP-NS, FCP-PCS, FCP-SO, FCSS-NS, FCSS-PCS, FCSS-SASE
409
maulishshah
Staff
Staff

Created on ‎09-04-2024 01:26 PM

Hi, 

 

Can you please provide the routing table from FGT1 for a server?

 

get router info routing-table details x.x.x.x (server IP)

 

In addition, as previously mentioned we need to have a firewall rule from SSLVPN to Lan with particular subnets. 

 

If all configuration is fine, we would like to run the debug on both of the firewall

 

di de reset

di de flow filter clear

di de flow filter addr x.x.x.x (x is the server ip)

di de flow filter proto 1

di de flow trace start 999

di de en

 

Note: Please initiate the ping after applying the above debugs from the user who connects the SSLVPN

Maulish Shah
407
Hsharma
Staff
Staff

Created on ‎09-04-2024 02:33 PM

Hi,

You also have to check ,if the destination route is printed in the routeprint output on the device connected to the vpn . If Routes are not present in the routeprint output then might be split tunneling is enabled and you might need to add the destination route in the splittunnel.

 

Thank you

351
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.