Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Akmostafa
New Contributor III

Created on ‎11-15-2023 04:11 AM

hub to spoke traffic in fortigate as ssl vpn client deployment

Hello Team,

 

Practically when configuring Fortigate as SSL vpn clients, users behind the client Fortigate can reach hosts behind the server Fortigate, but the other direction is not working. Moreover, the client to server direction does not work unless NAT is enabled in the corresponding firewall policies.

Even when configuring a static route on the server Fortigate to direct traffic to the client subnet throught the ssl vpn interface the scenario is not working.

Packet capture and debug flows on the server Fortigate shows that traffic is entering the tunnel, but nothing shows on the client Foritigate.

Labels:
276
0 Kudos
2 REPLIES 2
Sheikh
Staff
Staff

Created on ‎11-15-2023 06:21 AM

Hello @Akmostafa 

 

Enable  following debugs on Hub and spoke to see what is happening.

diag debug reset

diag debug app sslvpn -1

diag debug app fnbamd -1

diag debug console timestamp enable

diag debug enable

 

Moreover, following docs might help you.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-configuration-as-SSL-VPN-Hub-ser...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-acting-as-a-SSLVPN-client/ta-p/2...
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/508779/fortigate-as-ssl-vpn-...

regards,

 

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
257
0 Kudos
Akmostafa
New Contributor III
In response to Sheikh

Created on ‎03-20-2024 05:21 AM

Hi Sheikh,

Please find the debugs.

 

Fortigate client 172.16.14.11, username : fgclient

Fortigate server 172.16.14.1

 


FortiGate-60E-DSL (root) # 2024-03-20 15:17:35 [243:root:570]normal_cliRead,1355, read=0, tunnel finish.
2024-03-20 15:17:35 [243:root:570]fsv_tunnel2_state_cleanup:1668 0x553a7b00::0x54eef000
2024-03-20 15:17:35 [243:root:570]fsv_disassociate_fd_to_ipaddr:1953 deassociate 10.212.134.200 from tun (ssl.root:34)
2024-03-20 15:17:35 [243:root:570]tunnel is down, wait for next connection.
2024-03-20 15:17:35 [243:root:570]sslvpn_release_dynip:1517 free app session, idx[0]
2024-03-20 15:17:35 [243:root:570]sslConnGotoNextState:308 error (last state: 1, closeOp: 0)
2024-03-20 15:17:35 [243:root:570]Destroy sconn 0x553a7b00, connSize=0. (root)
2024-03-20 15:17:35 [243:root:570]SSL state:warning close notify (172.16.14.11)
2024-03-20 15:17:45 [244:root:56e]allocSSLConn:307 sconn 0x54841500 (0:root)
2024-03-20 15:17:45 [244:root:56e]SSL state:before SSL initialization (172.16.14.11)
2024-03-20 15:17:45 [244:root:56e]SSL state:before SSL initialization (172.16.14.11)
2024-03-20 15:17:45 [244:root:56e]no SNI received
2024-03-20 15:17:45 [244:root:56e]client cert requirement: yes
2024-03-20 15:17:45 [244:root:56e]SSL state:SSLv3/TLS read client hello (172.16.14.11)
2024-03-20 15:17:45 [244:root:56e]SSL state:SSLv3/TLS write server hello (172.16.14.11)
2024-03-20 15:17:45 [244:root:56e]SSL state:SSLv3/TLS write change cipher spec (172.16.14.11)
2024-03-20 15:17:45 [244:root:56e]SSL state:TLSv1.3 write encrypted extensions (172.16.14.11)
2024-03-20 15:17:45 [244:root:56e]SSL state:SSLv3/TLS write certificate request (172.16.14.11)
2024-03-20 15:17:45 [244:root:56e]SSL state:SSLv3/TLS write certificate (172.16.14.11)
2024-03-20 15:17:45 [244:root:56e]SSL state:TLSv1.3 write server certificate verify (172.16.14.11)
2024-03-20 15:17:45 [244:root:56e]SSL state:SSLv3/TLS write finished (172.16.14.11)
2024-03-20 15:17:45 [244:root:56e]SSL state:TLSv1.3 early data (172.16.14.11)
2024-03-20 15:17:45 [244:root:56e]SSL state:TLSv1.3 early data:system lib(172.16.14.11)
2024-03-20 15:17:45 [244:root:56e]SSL state:TLSv1.3 early data (172.16.14.11)
2024-03-20 15:17:45 [244:root:56e]SSL state:SSLv3/TLS read client certificate (172.16.14.11)
2024-03-20 15:17:45 [244:root:56e]SSL state:SSLv3/TLS read certificate verify (172.16.14.11)
2024-03-20 15:17:45 [244:root:56e]SSL state:SSLv3/TLS read finished (172.16.14.11)
2024-03-20 15:17:45 [244:root:56e]SSL state:SSLv3/TLS write session ticket (172.16.14.11)
2024-03-20 15:17:45 [244:root:56e]SSL state:SSLv3/TLS write session ticket (172.16.14.11)
2024-03-20 15:17:45 [244:root:56e]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
2024-03-20 15:17:45 [244:root:56e]req: /remote/logincheck
2024-03-20 15:17:45 [244:root:56e]rmt_web_auth_info_parser_common:492 no session id in auth info
2024-03-20 15:17:45 [244:root:56e]rmt_web_access_check:759 access failed, uri=[/remote/logincheck],ret=4103,
2024-03-20 15:17:45 [244:root:56e]User Agent: FortiSSLVPN
2024-03-20 15:17:45 [244:root:56e]rmt_logincheck_cb_handler:1283 user 'fgclient' has a matched local entry.
2024-03-20 15:17:45 [244:root:56e]sslvpn_auth_check_usrgroup:2962 forming user/group list from policy.
2024-03-20 15:17:45 [244:root:56e]sslvpn_auth_check_usrgroup:3008 got user (2) group (0:0).
2024-03-20 15:17:45 [244:root:56e]sslvpn_validate_user_group_list:1850 validating with SSL VPN authentication rules (2), realm ().
2024-03-20 15:17:45 [244:root:56e]sslvpn_validate_user_group_list:1970 checking rule 1 cipher.
2024-03-20 15:17:45 [244:root:56e]sslvpn_validate_user_group_list:1978 checking rule 1 realm.
2024-03-20 15:17:45 [244:root:56e]sslvpn_validate_user_group_list:1989 checking rule 1 source intf.
2024-03-20 15:17:45 [244:root:56e]sslvpn_validate_user_group_list:2028 checking rule 1 vd source intf.
2024-03-20 15:17:45 [244:root:56e]sslvpn_validate_user_group_list:2570 rule 1 done, got user (0:0) group (0:0) peer group (0).
2024-03-20 15:17:45 [244:root:56e]sslvpn_validate_user_group_list:1970 checking rule 2 cipher.
2024-03-20 15:17:45 [244:root:56e]sslvpn_validate_user_group_list:1978 checking rule 2 realm.
2024-03-20 15:17:45 [244:root:56e]sslvpn_validate_user_group_list:1989 checking rule 2 source intf.
2024-03-20 15:17:45 [244:root:56e]sslvpn_validate_user_group_list:2570 rule 2 done, got user (1:1) group (0:0) peer group (0).
2024-03-20 15:17:45 [244:root:56e]sslvpn_validate_user_group_list:2864 got user (2:1), group (0:0) peer group (0).
2024-03-20 15:17:45 [244:root:56e]fam_cert_send_req:1109 do certificate peer check first(2).
2024-03-20 15:17:45 [244:root:56e]fam_cert_send_req:1181 doing certificate checking for 1 peer(s).
2024-03-20 15:17:45 [2341] handle_req-Rcvd auth_cert req id=1362224970, len=1071, opt=0
2024-03-20 15:17:45 [974] __cert_auth_ctx_init-req_id=1362224970, opt=0
2024-03-20 15:17:45 [103] __cert_chg_st- 'Init'
2024-03-20 15:17:45 [140] fnbamd_cert_load_certs_from_req-1 cert(s) in req.
2024-03-20 15:17:45 [661] __cert_init-req_id=1362224970
2024-03-20 15:17:45 [710] __cert_build_chain-req_id=1362224970
2024-03-20 15:17:45 [257] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
2024-03-20 15:17:45 [273] fnbamd_chain_build-Following depth 0
2024-03-20 15:17:45 [308] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_3')
2024-03-20 15:17:45 [273] fnbamd_chain_build-Following depth 1
2024-03-20 15:17:45 [287] fnbamd_chain_build-Self-sign detected.
2024-03-20 15:17:45 [99] __cert_chg_st- 'Init' -> 'Validation'
2024-03-20 15:17:45 [831] __cert_verify-req_id=1362224970
2024-03-20 15:17:45 [832] __cert_verify-Chain is complete.
2024-03-20 15:17:45 [457] fnbamd_cert_verify-Chain number:2
2024-03-20 15:17:45 [471] fnbamd_cert_verify-Following cert chain depth 0
2024-03-20 15:17:45 [533] fnbamd_cert_verify-Issuer found: CA_Cert_3 (SSL_DPI opt 1)
2024-03-20 15:17:45 [471] fnbamd_cert_verify-Following cert chain depth 1
2024-03-20 15:17:45 [675] fnbamd_cert_check_group_list-checking group with name 'vpnclient'
2024-03-20 15:17:45 [490] __check_add_peer-check 'vpnclient'
2024-03-20 15:17:45 [366] peer_subject_cn_check-Cert subject 'CN = 172.16.14.11'
2024-03-20 15:17:45 [294] __RDN_match-Checking 'CN' val '172.16.14.11' -- match.
2024-03-20 15:17:45 [404] peer_subject_cn_check-CN is good.
2024-03-20 15:17:45 [497] __check_add_peer-'vpnclient' check ret:good
2024-03-20 15:17:45 [612] __peer_user_clear_unmatched-Clear all user(s) other than 'vpnclient'
2024-03-20 15:17:45 [631] __peer_user_clear_unmatched-
2024-03-20 15:17:45 [191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
2024-03-20 15:17:45 [738] fnbamd_cert_check_group_list-Peer users
2024-03-20 15:17:45 [741] fnbamd_cert_check_group_list- 'vpnclient' ('N/A','N/A')
2024-03-20 15:17:45 [867] __cert_verify_do_next-req_id=1362224970
2024-03-20 15:17:45 [99] __cert_chg_st- 'Validation' -> 'Done'
2024-03-20 15:17:45 [912] __cert_done-req_id=1362224970
2024-03-20 15:17:45 [1652] fnbamd_auth_session_done-Session done, id=1362224970
2024-03-20 15:17:45 [957] __fnbamd_cert_auth_run-Exit, req_id=1362224970
2024-03-20 15:17:45 [1689] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=1362224970
2024-03-20 15:17:45 [1608] auth_cert_success-id=1362224970
2024-03-20 15:17:45 [1059] fnbamd_cert_auth_copy_cert_status-req_id=1362224970
2024-03-20 15:17:45 [1067] fnbamd_cert_auth_copy_cert_status-Matched peer user 'vpnclient'
2024-03-20 15:17:45 [833] fnbamd_cert_check_matched_groups-checking group with name 'vpnclient'
2024-03-20 15:17:45 [895] fnbamd_cert_check_matched_groups-matched
2024-03-20 15:17:45 [1098] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
2024-03-20 15:17:45 [1186] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=1362224970
2024-03-20 15:17:45 [216] fnbamd_comm_send_result-Sending result 0 (nid 672) for req 1362224970, len=2099
2024-03-20 15:17:45 [1553] destroy_auth_cert_session-id=1362224970
2024-03-20 15:17:45 [1032] fnbamd_cert_auth_uninit-req_id=1362224970
2024-03-20 15:17:45 [131] fnbamd_peer_ctx_free-Freeing peer ctx 'vpnclient'
2024-03-20 15:17:45 [244:root:56e]__auth_cert_cb:895 certificate check OK.
2024-03-20 15:17:45 [244:root:56e]__auth_cert_cb:912 certificate check OK, matched peer [vpnclient].
2024-03-20 15:17:45 [244:root:56e]sslvpn_update_user_group_list:1719 Remove user(s) and group(s) do not set matched peer [vpnclient].
2024-03-20 15:17:45 [244:root:56e]sslvpn_update_user_group_list:1723 got user (1:1), group (0:0) peer group (0) after update.
2024-03-20 15:17:45 [244:root:56e]sslvpn_authenticate_user:183 authenticate user: [fgclient]
2024-03-20 15:17:45 [244:root:56e]sslvpn_authenticate_user:197 create fam state
2024-03-20 15:17:45 [244:root:56e]user 'fgclient' uses 2FA: ctx->peer_two_factor = 0, ctx->peer_name.peername = 1, ctx->is_two_factor = 0
2024-03-20 15:17:45 [244:root:56e]fam_auth_send_req:882 found node fgclient:1:vpnclient, valid:1
2024-03-20 15:17:45 [244:root:56e][fam_auth_send_req_internal:426] Groups sent to FNBAM:
2024-03-20 15:17:45 [244:root:56e]group_desc[0].grpname = fgclient
2024-03-20 15:17:45 [244:root:56e][fam_auth_send_req_internal:438] FNBAM opt = 0X301420
2024-03-20 15:17:45 local auth is done with user 'fgclient', ret=0
2024-03-20 15:17:45 [244:root:56e]fam_auth_send_req_internal:514 fnbam_auth return: 0
2024-03-20 15:17:45 [244:root:56e][fam_auth_send_req_internal:539] Authenticated groups (1) by FNBAM with auth_type (1):
2024-03-20 15:17:45 [244:root:56e]Received: auth_rsp_data.grp_list[0] = 16777226
2024-03-20 15:17:45 [244:root:56e][fam_auth_send_req_internal:652] The user fgclient is authenticated.
2024-03-20 15:17:45 [244:root:56e]Auth successful for user [fgclient] with matched user-peer [vpnclient]
2024-03-20 15:17:45 [244:root:56e]fam_do_cb:665 fnbamd return auth success.
2024-03-20 15:17:45 [244:root:56e]SSL VPN login matched rule (2).
2024-03-20 15:17:45 [244:root:56e]User Agent: FortiSSLVPN
2024-03-20 15:17:45 [244:root:56e]rmt_web_session_create:1209 create web session, idx[0]
2024-03-20 15:17:45 [244:root:56e]login_succeeded:536 redirect to hostcheck
2024-03-20 15:17:45 [244:root:56e]User Agent: FortiSSLVPN
2024-03-20 15:17:45 [244:root:56e]deconstruct_session_id:709 decode session id ok, user=[fgclient], group=[],authserver=[],portal=[full-access],host[172.16.14.11],rea
lm=[],csrf_token=[12BA898C6A1BAB415040B28B69CEB91],idx=0,auth=1,sid=716c08fa,login=1710937065,access=1710937065,saml_logout_url=no,pip=no,grp_info=[BvuL4F],rmt_grp_in
fo=[]
2024-03-20 15:17:45 [244:root:56e]deconstruct_session_id:709 decode session id ok, user=[fgclient], group=[],authserver=[],portal=[full-access],host[172.16.14.11],rea
lm=[],csrf_token=[12BA898C6A1BAB415040B28B69CEB91],idx=0,auth=1,sid=716c08fa,login=1710937065,access=1710937065,saml_logout_url=no,pip=no,grp_info=[BvuL4F],rmt_grp_in
fo=[]
2024-03-20 15:17:45 [244:root:56e]deconstruct_session_id:709 decode session id ok, user=[fgclient], group=[],authserver=[],portal=[full-access],host[172.16.14.11],rea
lm=[],csrf_token=[12BA898C6A1BAB415040B28B69CEB91],idx=0,auth=1,sid=716c08fa,login=1710937065,access=1710937065,saml_logout_url=no,pip=no,grp_info=[BvuL4F],rmt_grp_in
fo=[]
2024-03-20 15:17:45 [244:root:56e]req: /remote/fortisslvpn_xml?dual_stack=1
2024-03-20 15:17:45 [244:root:56e]deconstruct_session_id:709 decode session id ok, user=[fgclient], group=[],authserver=[],portal=[full-access],host[172.16.14.11],rea
lm=[],csrf_token=[12BA898C6A1BAB415040B28B69CEB91],idx=0,auth=1,sid=716c08fa,login=1710937065,access=1710937065,saml_logout_url=no,pip=no,grp_info=[BvuL4F],rmt_grp_in
fo=[]
2024-03-20 15:17:45 [244:root:56e]deconstruct_session_id:709 decode session id ok, user=[fgclient], group=[],authserver=[],portal=[full-access],host[172.16.14.11],rea
lm=[],csrf_token=[12BA898C6A1BAB415040B28B69CEB91],idx=0,auth=1,sid=716c08fa,login=1710937065,access=1710937065,saml_logout_url=no,pip=no,grp_info=[BvuL4F],rmt_grp_in
fo=[]
2024-03-20 15:17:45 [244:root:56e]rmt_fortisslvpn_xml_cb_handler:1139 Client requests dual stack tunnel
2024-03-20 15:17:45 [244:root:56e]sslvpn_reserve_dynip:1468 tunnel vd[root] ip[10.212.134.200] app session idx[0]
2024-03-20 15:17:45 [244:root:56e]form_ipv4_pol_split_tunnel_addr:79 Matched policy (id = 31) to add ipv4 split tunnel routing address
2024-03-20 15:17:45 [244:root:56e]req: /remote/sslvpn-tunnel2
2024-03-20 15:17:45 [244:root:56e]sslvpn_tunnel2_handler,59, Calling rmt_conn_access_ex.
2024-03-20 15:17:45 [244:root:56e]deconstruct_session_id:709 decode session id ok, user=[fgclient], group=[],authserver=[],portal=[full-access],host[172.16.14.11],rea
lm=[],csrf_token=[12BA898C6A1BAB415040B28B69CEB91],idx=0,auth=1,sid=716c08fa,login=1710937065,access=1710937065,saml_logout_url=no,pip=no,grp_info=[BvuL4F],rmt_grp_in
fo=[]
2024-03-20 15:17:45 [244:root:56e]normal tunnel2 request received.
2024-03-20 15:17:45 [244:root:56e]sslvpn_tunnel2_handler,173, Calling tunnel2.
2024-03-20 15:17:45 [244:root:56e]tunnel2_enter:1142 0x54841500:0x55201000 sslvpn user[fgclient],type 1,logintime 0 vd 0 vrf 0
2024-03-20 15:17:45 [244:root:56e]tun dev (ssl.root) opened (27)
2024-03-20 15:17:45 [244:root:56e]Will add auth policy for policy 31 for user fgclient:
2024-03-20 15:17:45 [244:root:56e]Add auth logon for user fgclient:, matched group number 1
2024-03-20 15:17:45 [244:root:56e]fsv_associate_fd_to_ipaddr:1922 associate 10.212.134.200 to tun (ssl.root:27)
2024-03-20 15:17:45 [244:root:56e]proxy arp: scanning 42 interfaces for IP 10.212.134.200
2024-03-20 15:17:45 [244:root:56e]Cannot determine ethernet address for proxy ARP
2024-03-20 15:18:09 [243:root:0]sslvpn_internal_remove_one_web_session:3380 web session (root:fgclient::172.16.14.11:1 1) removed for tunnel re-connect timeout

61
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.