On a Fortigate 50E (6.2.15) there are 2 WAN ports active, mainly for redundancy and load balancing.
SSL-VPN specifies that it is listening on both over 443 and Authentication/Portal Mapping has 2 entries, one specific for a Fortigate Local Admin account and another for "All Other Users/Groups" that both map to the same Portal.
If I bring down WAN2 I can connect remotely to WAN1 over its Static IP as expected. Yet that is not the case with WAN1. If I bring down WAN1, FortiClient VPN cannot connect to the Static IP of WAN2. All the while, WAN2 is working as expected from within the company as I can remotely connect with Anydesk without a problem.
Where would I find some configuration setting that would cause such behaviour? I am not the one who has set up the Firewall and I am trying to find my way around its settings.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
First you need to figure out the design of fail over between wan1 and wan2. Check the default routes toward both interfaces in "get router info routing-table all". You should see lines like below. Below is my 40F with SD-WAN so yours should be different.
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via x.x.x.x, ppp3, [1/20]
[1/0] via y.y.y.y, a, [1/1]
Toshi
Well, Toshi I believe you are on to something here. I did find a line like the one you mentioned but I only see wan1 and not wan2, if that should be the case with a failover scenario.
S* 0.0.0.0/0 [1/0] via 10.0.1.254, wan1
C 10.0.1.0/24 is directly connected, wan1
what is the next step?
Sorry wrong answer. I apologize for that.
The WAN2 port was disabled from the last troubleshooting attempt and the relevant entries were missing.
S* 0.0.0.0/0 [1/0] via 10.0.1.254, wan1
[1/0] via 10.0.2.254, wan2
C 10.0.1.0/24 is directly connected, wan1
C 10.0.2.0/24 is directly connected, wan2
This is the right output of the command, so both interfaces are present. What is the next step?
Allow me to elaborate a bit on the details of the issue.
* I have created 2 connection profiles on the FortiClient VPN, one for each WAN Static IP
* When both WANs are enabled I can connect over both profiles, when WAN2 is disabled I can connect over Profile1, when WAN1 is disabled I cannot connect over Profile2
* The error reported from the client is "the server may be unreachable (-5)"
* I have aligned TLS versions between Internet Explorer and Fortigate to 1.1, 1.2 and 1.3
This means those two wan interfaces are load-balanced, no admin distance difference nor priority, and no SD-WAN. Then when wan1 is down, only the second default route to wan2 should be there and ssl vpn access to wan2 should work.
By the way, are those GW IPs 10.0.1.254 and 10.0.2.254 real IPs or you just modified from the real public IPs? Then those actual wan IPs are really in those two connection profiles, especially for wan2? Can you ping the wan2 IP when wan1 is down?
I suspect something outside of this FGT before reaching the wan2 is causing the unreachability.
<edit>Also check "show config vpn ssl settings" to make sure any "source-interface" config have either "any" or both "wan1" "wan2" are spedified.</edit>
Toshi
You are right, it was something outside the FortiGate. One of the routers, the one attached to WAN2, had trouble port forwarding 443 to the internal network as it was. That, combined with another relic from the past created the final problem. Which was that WAN2 was never actually operational (VPN wise).
Kudos for pointing me to the right direction, all your suggestions were on the right path, although you could not imagine where the actual problem would finally surface. Your assumptions though were correct. Thanks a lot.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1558 | |
1034 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.