Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

VPN Site Cannot access Internet after deploy SSL VPN



I have follow this tutorial because my remote site and VPN site has same subnet (


However VPN is working perfectly except the VPN site now cannot access to the internet

Here is what FortiGate log show when I try ping



My environment is 

-Fortigate 40F firmware v7.0.12 build0523 


-SSL VPN Split tunnel Enabled Based on Policy Destination

-Connect to VPN by FortiVPN Client


EDIT1 : I also find out form log that the NAT IP has changed to Virtual IP instead of WAN IP




You have split tunneling enabled, which means the internet traffic is supposed to go outside the tunnel. Is the internet working fine when VPN is disconnected?
Can you share the policy the non-working traffic is hitting and the SSL VPN policies?


- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

When I disable the policy the VPN network is OK 

Here is the policy that created by the tutorial




and this is a LAN to WAN policy which is normal policy to allow the internet access



As per the below image, we are sending traffic out, but there is no response. Can you confirm the incoming and outgoing interface for this? Is this WAN to WAN ? Are you connecting to SSL VPN from LAN itself?



- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

According to the picture it was the LAN to WAN policy that I created before implement VPN which is used to work normally before and when I disable the VPN policies the log from LAN to WAN policy works fine.

Here is more detail from log:


ps. the NAT ip is the SSLVPN IP not the real WAN IP

New Contributor

I think I have found the solution, but I'm not sure if it's best practice.

Since the NAT IP isn't the real WAN IP as it is supposed to be, I forced the LAN to WAN policy to NAT by IP Pool with the WAN IP that I got from an ISP.(manually create)


But I don't have a static fixed WAN IP. When my WAN IP is renewed, that seems like the solution won't work.


I have looked again at the WAN to LAN policy according to the tutorial (step 4) which seems like the cause of the problem, so, I disabled it and created the new policy with a new setting instead.

The new policy setting is:

  • Incoming interface:  VPN tunnel
  • Outgoing Interface: LAN

I also limited the source from 'all' to just VPN subnet and VPN users.


Now I can use VPN and the VPN network can access the Internet.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors