Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
keavin
New Contributor

Unable to ping machines on the same network after connecting via SSLVPN

Hi there!

I'm currently trying to set up one of the users on my company with Forticlient (VPN only) so that they may connect to our studio's network, and then remote in to their workstation via HP ZCentral remoting software.

Our user's spec are as follows:
FortiClient VPN, version 7.0.7.0245

MacBook Air (M1, 2020) MacOS BigSur 11.7.1, Build Version 20G918

We've got an SSLVPN configuration that works for everybody else in the studio, except this one user, and I don't really understand why. This user can establish the VPN connection and also gets assigned an IP address, and has internet access, but for some reason, cannot communicate with other machines connected to our network. Because of this, she is unable to remote into her workstation via HP ZCentral. We found this out by trying to ping the machines on our network (with no success) via the Terminal. This is in direct contrast to my experience with the same SSLVPN configuration. I definitely can ping other machines on our network, and can also remote into my studio's workstations. 

We've made sure to: match our SSLVPN configurations as well as give FortiClient full disk permissions.

Any insight/help/advice would be greatly appreciated. Thanks for reading!

Best,
Keavin
3 REPLIES 3
Toshi_Esumi
Esteemed Contributor II

You need to troubleshoot with first sniffing when she pings from terminal. If it's coming in to the FGT, the problem is likely in the FGT. But if not coming in, it must be on the VPN client side or the Macbook.

 

Toshi

keavin

Hi Toshi!
Thanks for the quick response. Please excuse my ignorance and allow me to ask - which packet sniffing tool do you recommend? And does FGT stand for FortiGate tray?

 

Best,

Keavin

Toshi_Esumi
Esteemed Contributor II

FGT stainds for FortiGate. You can use either GUI PCAP or CLI "diag sniffer packet" command. I would say CLI is quicker&easier in case you don't have to see the content of the packets.

 

Toshi