Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor


Hi, I have a problem. I have configured a Fortigate with an IPsec tunnel to a Cisco firewall and everything is working. Now my requirement is as follows: connect via SSL VPN through Forticlient VPN to Fortigate and browse both the LAN connected to Fortigate ( and the remote VPN connected to Cisco ( I am able to connect correctly through the VPN client to Fortigate and browse the LAN, but I cannot access the Cisco LAN ( on the IPsec tunnel. What firewall policies should I set on the Fortigate?

Contributor III


Allow this:

   - source : SSL-VPN

   - Destination: IPsec /

Configure your SSL-VPN to push route to your VPN client


Esteemed Contributor III

Before that we need to know if the SSL VPN is "split-tunnel" or no split-tunnel. If split-tunnel, yes, you need to have Cisco LAN subnet in the split network list.

But basically you need to take case of three things in addition to the split-tunnel:
1) phase2 network selector(s) on the IPsec to allow traffic between SSL VPN client IPs and the Cisco LAN subnet unless you use the default 0/0<->0/0 phase2.

2) routing for both toward the Cisco LAN and back from the Cisco toward the SSL VPN client IPs.
3) at least one policy ssl.root->IPsec interface, and IPsec->ssl.root in case the Cisco LAN side needs to reach out those SSL VPN clients.




Hello Andrew,


You need to add both SSL VPN IP address pool and LAN subnet ( of FortiGate in the firewall policy as source  and destination as remote subnet (


You can refer below document for the configuration of SSL VPN with the IPSEC VPN.



New Contributor

i have modified the configuration like this but not ping 2023-04-14 alle 18.15.17.pngSchermata 2023-04-14 alle 18.17.51.png



Is the forticlient network present in the IPSEC tunnel?

If yes, have you created routing object for the Cisco network in the config for SSLVPN?

If yes, have you created a FW policy to allow Forticlient traffic to communicate to the Cisio network?


Hi Andrewd,

Kindly share the "route print" command output from the PC on which you are facing the issue. Also for the VPN policy to check the traffic flow we need the flow debug output below to check and suggest:

diagnose debug reset

diagnose debug disable

diagnose debug flow show fun en

diagnose debug flow filter clear

diagnose debug flow filter saddr <user IP address>

diagnose debug flow filter daddr <destination IP address which is behind CISCO>

diagnose debug flow filter proto 1

diagnose debug flow trace start 99

diagnose debug enable

NOTE: Replicate the issue by initiating the ping traffic for few packets and then after 5-10sec, disable the logs by executing:


diagnose debug disable
diag debug reset


Esteemed Contributor III

Show us the result of "route print" for windows or "route -nr" for Mac while the client is connected.
Also show us "tracert 192.168.44.X"(win) or "traceroute 192.168.44.X"(Mac) (X needs to be replaced with a real IP).