Technical Tip: SSL VPN connectivity issue with iPhone

naveenk · ‎04-20-2020

Description

This article describes SSL VPN in webmode which does not connect when using iPhone/MAC on any browsers.

Scope

FortiGate.

Solution

While connecting from an iPhone in web mode using URL, due to DNS issues, it is possible to face this issue.

Collect the SSL VPN debug in working and non-working conditions:

diagnose vpn ssl debug-filter src-addr4 <x.x.x.x> ---> Here x.x.x.x is the public source IP of the client used for the connection.

diagnose debug application sslvpn -1
diagnose debug application fnbamd -1
diagnose debug enable

After running try to connect again and use the below command to disable.

diagnose debug disable

And compare the debugs.

Working.

[174:root:0]SND: IPCP Configure_Request id(1) [IP_Address 49.248.92.130]
[174:root:0]RCV: IPCP Configure_Request id(1) [IP_Address 0.0.0.0] [Primary_DNS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0]
[174:root:0]ipcp: returning Configure-NAK
[174:root:0]SND: IPCP Configure_Nak id(1) [IP_Address 10.212.134.201] [Primary_DNS_IP_Address 192.168.1.7] [Seconday_DNS_IP_Address 192.168.1.7]
[174:root:0]RCV: IPCP Configure_Ack id(1) [IP_Address 49.248.92.130]
[174:root:0]RCV: IPCP Configure_Request id(2) [IP_Address 10.212.134.201] [Primary_DNS_IP_Address 192.168.1.7] [Seconday_DNS_IP_Address 192.168.1.7]
[174:root:0]ipcp: returning Configure-ACK
[174:root:0]SND: IPCP Configure_Ack id(2) [IP_Address 10.212.134.201] [Primary_DNS_IP_Address 192.168.1.7] [Seconday_DNS_IP_Address 192.168.1.7]
[174:root:0]ipcp: up ppp:0x55e45000 caller:0x55cd3b00 tun:31

Not working.

[175:root:0]SND: IPCP Configure_Request id(1) [IP_Address 49.248.92.130]
[175:root:0]RCV: IPCP Configure_Request id(1) [IP_Address 0.0.0.0]
[175:root:0]ipcp: returning Configure-NAK
[175:root:0]SND: IPCP Configure_Nak id(1) [IP_Address 10.212.134.202]
[175:root:0]RCV: IPCP Configure_Reject id(1) [IP_Address 49.248.92.130]
[175:root:0]SND: IPCP Configure_Request id(2) [IP_Addresses Internet_Addresses(deprecated)]
[175:root:0]RCV: IPCP Configure_Request id(2) [IP_Address 10.212.134.202]
[175:root:0]ipcp: returning Configure-ACK
[175:root:0]SND: IPCP Configure_Ack id(2) [IP_Address 10.212.134.202]
[175:root:0]RCV: IPCP Configure_Reject id(2) [IP_Addresses Internet_Addresses(deprecated)]
[175:root:0]SND: IPCP Configure_Request id(3)
[175:root:0]RCV: IPCP Configure_Ack id(3)
[175:root:0]ipcp: up ppp:0x55cfc000 caller:0x55cd3b00 tun:31
[175:root:0]Cannot determine ethernet address for proxy ARP
[175:root:0]local IP address 49.248.92.130
[175:root:0]remote IP address 10.212.134.202
[175:root:1e9]sslvpn_ppp_associate_fd_to_ipaddr:279 associate 10.212.134.202 to tun (ssl.root:31)
[174:root:1e7]Timeout for connection 0x55cd4400

Do the below changes and test again.

config vpn ssl settings
    set dns-suffix
    "domain1.com;domain2.com;domain3.com;domain4.com;domain5.com;domain6.com;domain7.com;domain8.com"                  <----- (Example).
    set dns-server1 x.x.x.x                                                                                            <----- (DNS server IP).
end

config vpn ssl web portal
    edit "full-access"
        set dns-server1 x.x.x.x <----- (DNS server IP).
        set split-tunneling enable
next

Then kill all the SSL VPN processes by using the command.

fnsysctl killall sslvpnd