User machine connecting to VPN is been isolated from other network in linux host .
The user machine is reachable from the same network only .
This scenario is seen in LINUX based OS only .
On FortiGate, in the related SSL VPN Portal, check if you enabled "Restrict to Specific OS Versions".
Not we have not configured "Restrict to Specific OS Versions".
Are you using FortiClient EMS? If so you may check if your firewall policies are using EMS tags to allow or deny specific clients.
No we are not using Forticlient EMS.
Can you check if your Linux client received some gateway info from the VPN server.
You can check on you client with command "netstat -rn" or "route -n" or "ip route".
Yes routes is being pushed by vpn that's why access is getting lost, actually issue is that we are taking rdp access ( or ssh any service is being affected) of the machine where we are going to connect vpn, suppose ip of the machine is 192.168.1.2 before connecting vpn all traffic is being routed via default route where its set gateway of the 192.168 network suppose it's 192.168.1.1 , now when we are connecting vpn there are multiple routes is being pushed according to user has given access of multiple networks, one of them is also 192.168.0.0/24 where now for this subnet exit interface is being set from tunnel interface, because of this this machine RDP/SSH access is being lost because request packets are entering this machine via LAN interface but when response is being created, for routing its checking routing table and because in routing table exit interface is set as tunnel interface so its being exited from tunnel interface ( we have verified this behaviour by checking tcpdump on both interfaces) hence response packets are not being received source of the request. As for same LAN communication request's are directed by arp entries so at same time any request generated from any system within 192.168.0.0/24 can access this machine but any other network ( suppose 192.168.2.0/24) which its reachable previously, now unreachable because of vpn connection.
I misunderstood your first post, now I think the issue is more clear.
So you mean you have a subnet 192.168.2.0/24 on both your local network and on the remote network as well (behind VPN server), and VPN is pushing a new route to this subnet which prevent you from communicating with this local subnet, right?
Actually, here is some more clarification, suppose we have multiple subnets like 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24 and so on, so access whole network from VPN we have configured routes like 192.168.0.0/16 for wider range, and machine which we are connecting vpn is with IP 192.168.1.2 . so vpn is pushing route for this whole subnet and resulting we are loosing access, remaining details has been explained in upper comment, please refer and let us know if additional info required.
In your firewall policy (SSL-VPN interface -> LAN) you are specifying thw whole subnet as destination, that's why VPN is pushing a route toward the whole subnet.
In case you are connecting to 192.168.1.2 only (or two or three IPs) then you can specify this single IP address if you firewall policy so that VPN will only push the route toward this address, not to the whole subnet.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.