Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Zoxan
New Contributor

VPN traffic blocked by implicit deny

Hi guys! Here is a issue with Fortigate200F(7.4.1) - ipsec vpn lpdap users randomly cant get access(cant even ping) to various internal sources after establishing connection cause of sudden implicit deny, locally created users have no such problem at all though. They both are in the same group, under same policy. Its strange how that rule doesnt work for AD users sometimes. Any guesses?

5 REPLIES 5
AEK
SuperUser
SuperUser

Hi

Does the related policy use FSSO as source?

I guess the blocked traffic shows IP without user, right?

AEK
AEK
Zoxan
New Contributor


@AEK wrote:

Hi

Does the related policy use FSSO as source?

I guess the blocked traffic shows IP without user, right?


The policy contains VPN ip range and group of imported ldap users with local users as source. Blocked traffic shows Source/Source Country/Region/Source Interface/Device ID/User in details, when Accepted - same with addition of Source NAT IP/Source NAT Port and Group

dbu

What do you mean by: The policy contains  "group of imported ldap users with local users as source" ?

Are you using IKEv1 or 2 ?  

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
hbac
Staff
Staff

Hi @Zoxan

 

Do you mean IPsec VPN users are able to connect but can't access internal resource? You need to run debug flow to see why it is being dropped: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

 

Regards, 

sahmed_FTNT
Staff
Staff

Hello, if you can share debug output that will be more useful to troubleshoot

Security all we want
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors