FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
naveenk
Staff
Staff
Description
This article describes SSLVPN in webmode which does not connect when using iphone/MAC on any browsers.

Solution
While connecting from iphone in web mode using url, due to DNS issue you could face this issue.

Collect the ssl vpn debug in working and non-working conditions:
# diagnose debug application sslvpn -1
# diagnose debug application fnbamd -1
# diagnose debug enable

After running try to connect again and use the below command to disable.
# diagnose debug disable
And compare the debugs.

Working.
[174:root:0]SND: IPCP Configure_Request id(1) [IP_Address 49.248.92.130]
[174:root:0]RCV: IPCP Configure_Request id(1) [IP_Address 0.0.0.0] [Primary_DNS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0]
[174:root:0]ipcp: returning Configure-NAK
[174:root:0]SND: IPCP Configure_Nak id(1) [IP_Address 10.212.134.201] [Primary_DNS_IP_Address 192.168.1.7] [Seconday_DNS_IP_Address 192.168.1.7]
[174:root:0]RCV: IPCP Configure_Ack id(1) [IP_Address 49.248.92.130]
[174:root:0]RCV: IPCP Configure_Request id(2) [IP_Address 10.212.134.201] [Primary_DNS_IP_Address 192.168.1.7] [Seconday_DNS_IP_Address 192.168.1.7]
[174:root:0]ipcp: returning Configure-ACK
[174:root:0]SND: IPCP Configure_Ack id(2) [IP_Address 10.212.134.201] [Primary_DNS_IP_Address 192.168.1.7] [Seconday_DNS_IP_Address 192.168.1.7]
[174:root:0]ipcp: up ppp:0x55e45000 caller:0x55cd3b00 tun:31
Not working.
[175:root:0]SND: IPCP Configure_Request id(1) [IP_Address 49.248.92.130]
[175:root:0]RCV: IPCP Configure_Request id(1) [IP_Address 0.0.0.0]
[175:root:0]ipcp: returning Configure-NAK
[175:root:0]SND: IPCP Configure_Nak id(1) [IP_Address 10.212.134.202]
[175:root:0]RCV: IPCP Configure_Reject id(1) [IP_Address 49.248.92.130]
[175:root:0]SND: IPCP Configure_Request id(2) [IP_Addresses Internet_Addresses(deprecated)]
[175:root:0]RCV: IPCP Configure_Request id(2) [IP_Address 10.212.134.202]
[175:root:0]ipcp: returning Configure-ACK
[175:root:0]SND: IPCP Configure_Ack id(2) [IP_Address 10.212.134.202]
[175:root:0]RCV: IPCP Configure_Reject id(2) [IP_Addresses Internet_Addresses(deprecated)]
[175:root:0]SND: IPCP Configure_Request id(3)
[175:root:0]RCV: IPCP Configure_Ack id(3)
[175:root:0]ipcp: up ppp:0x55cfc000 caller:0x55cd3b00 tun:31
[175:root:0]Cannot determine ethernet address for proxy ARP
[175:root:0]local IP address 49.248.92.130
[175:root:0]remote IP address 10.212.134.202
[175:root:1e9]sslvpn_ppp_associate_fd_to_ipaddr:279 associate 10.212.134.202 to tun (ssl.root:31)
[174:root:1e7]Timeout for connection 0x55cd4400
Do the below changes and test again.
# config vpn ssl settings
    set dns-suffix
    "domain1.com;domain2.com;domain3.com;domain4.com;domain5.com;domain6.com;domain7.com;domain8.com"                  <----- (Example).
    set dns-server1 x.x.x.x                                                                                            <----- (DNS server IP).
end
# config vpn ssl web portal
    edit "full-access"
        set dns-server1 x.x.x.x                                                                                       <----- (DNS server IP).
        set split-tunneling enable
next
Then kill all the ssl vpn process by using the command.
fnsysctl killall sslvpnd
Refer this to pages 4 and 5 of this link:

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/21cbd45b-031e-11e9-b86b-005056...

Contributors