Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akumarr
Staff
Staff

Created on ‎04-15-2020 11:54 PM Edited on ‎10-15-2024 04:58 AM By Moderator

Article Id 198496

Technical Tip: Unable to receive VPN tunnel IP address (-30)

Description

 

This article explains the 'unable to get VPN tunnel IP address (-30)' error and the solution while using Forticlient SSL VPN as the tool. 

Solution

 

  1. Find the pictures below: two hosts and using FortiClient to establish the SSL VPN.

 

  1. From the above images, the first computer can connect to the FortiClient while the second computer gets an error 'unable to obtain an IP address for VPN tunnel (-30)'. Depending on the versions of the error the connection might get stuck at 45% or at 89%.

  2. Find the debug error below.

    2020-04-16 07:09:55 [319:root:41]sslvpn_reserve_dynip:1128 failed to get dynamic IP
    2020-04-16 07:09:55 [319:root:41]rmt_fortisslvpn_xml_cb_handler:2398 no more IP address available.
    2020-04-16 07:09:55 [319:root:41]req: /FortiClientSslvpnClearCacheUrl/for/Wini
    2020-04-16 07:09:55 [319:root:41]def: (nil) /FortiClientSslvpnClearCacheUrl/for/WininetLibrary/1/2/3/4/5/6/7/8/9/0/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t
    2020-04-16 07:10:15 [319:root:41]Timeout for connection 0x7f6c36488000.

  3. To get rid of this error, check the address range configured under SSL VPN settings.
  
 
  1. The above picture shows that there is only 1 IP for FortiClient users and this is why there is this error.

  2. Increasing the address range fixes this problem.
GUI:

Navigate to SSL VPN settings, VPN -> SSL VPN settings, go to Tunnel mode client settings, and edit the 'Address range'.

sslvpnsetting.png

 

Select the option 'Specify custom IP ranges'. Then hover on the address object 'SSLVPN_Tunnel_Addr1' and select the option to edit the address object.
                          

hoversslvpn.png

 

Then edit the range according to the need, here in the below example have increased from 30 new IP addresses. So the new range is from 200 to 240.
                                                 

editrangevpn.png

 

Once the range has been edited, hit 'ok' and then hit 'Apply' to save these changes. Then new range can be seen on the GUI.

 

savedvpn.PNG

 

CLI:


config firewall address

show
    edit "SSLVPN_TUNNEL_ADDR1"
        set uuid 13249802-2c26-51ee-a70a-e26a1b0deec3
        set type iprange
        set start-ip 10.212.134.200
        set end-ip 10.212.134.210
    next
end

(SSLVPN_TUNNEL_ADDR1) # set end-ip 10.212.134.240

(SSLVPN_TUNNEL_ADDR1) # end

 

 After updating the range, any new user should be able to connect to SSL VPN via tunnel mode (FortiClient).

 

Solution 2:
 
This issue may also occur due to the DHCP configuration on the portal. In the DHCP debugs on the FortiGate, the following error messages may be visible:

DHCP_Invalid.PNG
If the configuration checks out as per the above steps in Solution 1, it is recommended to verify that the DHCP settings for the tunnel are not pointing towards an external DHCP service.
 
config vpn ssl web portal
    edit "name_tunnel"
        show full | grep ip-mode

If the following setting is visible, this creates a conflict as this requires the use of an external DHCP server which prevents the tunnel address range specified from being assigned:

To resolve the issue, unset this setting:
config vpn ssl web portal
    edit "name_tunnel"
        unset ip-mode
    end

After, proceed to test. If the issue persists, open a case and contact TAC with the debugs and configuration file.
168239
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.