Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cos-sys
New Contributor

Upgrading to 7.2.6 on Fortigate 100E cause Forticlient to not have incoming trafic

Hello,

 

We've just upgraded our HA cluster of Fortigate 100E from the version 7.2.5 build 1517 to 7.2.6 build 1575.

After the upgrade, the SSL VPN has encountered some issues. People were able to connect to it using their LDAP credentials, but no incoming trafic was being received from every client connected, only outgoing trafic was seen.

 

After trying to troubleshoot this issue, we have found that the flow from our LAN back to our VPN SSL users was hitting the "policy 0" which is an implicit "drop" of the packets.

 

We didn't modify anything and don't understand why we are hitting this "policy 0" and for us, this is a bug! Web portal connection was working OK even though it was also saying that no trafic was incoming.

 

We had to rollback to the version 7.2.5 to have this issue resolved.

The problem is not on the Forticlient software in my opinion, since the issue is more related to a policy matter. We have tried using different version of the Forticlient software and even the latest one (7.2.2) was not working.

 

Did anyone has encounter those issues? Thank you for your help!

 

Reagrds,

4 REPLIES 4
hbac
Staff
Staff

Hi @cos-sys,

 

If it was dropped by policy 0, that means there is no firewall policy to allow traffic from LAN to SSL-VPN. Please doublecheck your firewall policy. 

 

Regards, 

cos-sys
New Contributor

Hello,

 

Thnak you for your reply.

I do not think that the problem is related to our firewall policies. The reason why is that everything is working fine in 7.2.5, but only in 7.2.6 this is hitting this "policy 0" with the implicit deny.

 

Maybe this is the case because of the change of behavior for the IP Pools / VIPs but we are not using those for our SSL VPN. So I don't really see why this change could impact us.

 

Our clients are getting IPs in a subnet like 10.10.10.X/24 when being connected to the SSL VPN and they are trying to access to our network which is under the subnet 10.10.X.X/16

 

Thank you for your help!

 

Regards,

AlPhiMe

The release notes also contained an link to an KB which had further information regarding the change.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IP-pool-and-virtual-IP-behavior-changes-in...

 

"However, as a side-effect, once an IP pool or VIP has been configured, even if it is never used in a firewall policy, the FortiGate considers it as a local address and will not forward traffic based on the routing table."

 

There is also an section in the KB explaining the impacts on an sslvpn configuration. But if nothing helps i would consider to create a TAC ticket to have an engineer look at the configuration.

BillH_FTNT
Staff
Staff

Hi @cos-sys 

There is a note on release notes related to your case. 

 

Release notes.PNG

You can find something in this tips too. https://community.fortinet.com/t5/FortiGate/Technical-Tip-ARP-reply-setting-in-Virtual-IP-IP-Pool/ta...

 

Rg/Bill

Top Kudoed Authors