VPN works if WAN2 goes down but not if WAN1 goes down

gthalassinos · ‎06-21-2023

On a Fortigate 50E (6.2.15) there are 2 WAN ports active, mainly for redundancy and load balancing.

SSL-VPN specifies that it is listening on both over 443 and Authentication/Portal Mapping has 2 entries, one specific for a Fortigate Local Admin account and another for "All Other Users/Groups" that both map to the same Portal.

If I bring down WAN2 I can connect remotely to WAN1 over its Static IP as expected. Yet that is not the case with WAN1. If I bring down WAN1, FortiClient VPN cannot connect to the Static IP of WAN2. All the while, WAN2 is working as expected from within the company as I can remotely connect with Anydesk without a problem.

Where would I find some configuration setting that would cause such behaviour? I am not the one who has set up the Firewall and I am trying to find my way around its settings.

Toshi_Esumi · ‎06-21-2023

First you need to figure out the design of fail over between wan1 and wan2. Check the default routes toward both interfaces in "get router info routing-table all". You should see lines like below. Below is my 40F with SD-WAN so yours should be different.

Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via x.x.x.x, ppp3, [1/20]
[1/0] via y.y.y.y, a, [1/1]

Toshi

gthalassinos · ‎06-22-2023

~~Well, Toshi I believe you are on to something here. I did find a line like the one you mentioned but I only see wan1 and not wan2, if that should be the case with a failover scenario.~~

~~S* 0.0.0.0/0 [1/0] via 10.0.1.254, wan1~~

~~C 10.0.1.0/24 is directly connected, wan1~~

~~what is the next step?~~

Sorry wrong answer. I apologize for that.

The WAN2 port was disabled from the last troubleshooting attempt and the relevant entries were missing.

S* 0.0.0.0/0 [1/0] via 10.0.1.254, wan1

[1/0] via 10.0.2.254, wan2

C 10.0.1.0/24 is directly connected, wan1

C 10.0.2.0/24 is directly connected, wan2

This is the right output of the command, so both interfaces are present. What is the next step?

gthalassinos · ‎06-22-2023

Allow me to elaborate a bit on the details of the issue.

* I have created 2 connection profiles on the FortiClient VPN, one for each WAN Static IP

* When both WANs are enabled I can connect over both profiles, when WAN2 is disabled I can connect over Profile1, when WAN1 is disabled I cannot connect over Profile2

* The error reported from the client is "the server may be unreachable (-5)"

* I have aligned TLS versions between Internet Explorer and Fortigate to 1.1, 1.2 and 1.3

Toshi_Esumi · ‎06-22-2023

This means those two wan interfaces are load-balanced, no admin distance difference nor priority, and no SD-WAN. Then when wan1 is down, only the second default route to wan2 should be there and ssl vpn access to wan2 should work.

By the way, are those GW IPs 10.0.1.254 and 10.0.2.254 real IPs or you just modified from the real public IPs? Then those actual wan IPs are really in those two connection profiles, especially for wan2? Can you ping the wan2 IP when wan1 is down?
I suspect something outside of this FGT before reaching the wan2 is causing the unreachability.

<edit>Also check "show config vpn ssl settings" to make sure any "source-interface" config have either "any" or both "wan1" "wan2" are spedified.</edit>

Toshi

gthalassinos · ‎06-22-2023

You are right, it was something outside the FortiGate. One of the routers, the one attached to WAN2, had trouble port forwarding 443 to the internal network as it was. That, combined with another relic from the past created the final problem. Which was that WAN2 was never actually operational (VPN wise).

Kudos for pointing me to the right direction, all your suggestions were on the right path, although you could not imagine where the actual problem would finally surface. Your assumptions though were correct. Thanks a lot.