Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JohnAgora
Contributor

Created on ‎04-14-2016 12:10 PM

Can't access Fortigate through VPN

Hello,

 

We have 4 Fortigates (5.2.7) on one network.

Each has a public IP, but for security reasons I want that we can only access them through a VPN.

So I set up an IPSec Dialup VPN. It works fine with FortiClient on Mac.

Then I put a FW rule to access each of the devices on the internal IP (10.x.x.1-10.x.x.4) on ALL services and doing NAT, so each FW don't need to know that 192.168.1.x (IP of the clients connected) is behind FW 1.

I can do SSH and ping with no problems.

Anyhow I can't access the devices through HTTPS (I change HTTPS to port 4443), it doesn't load properly.

Sometimes I can see the login page, other I get a timeout, others loads badly, etc.

"diagnose debug flow trace" show the traffic flows normally.

 

 

Any idea what can it be?

 

Thanks!

Labels:
12757
0 Kudos
6 REPLIES 6
emnoc
Esteemed Contributor III

Created on ‎04-14-2016 01:07 PM

So you ran diag debug flow and it shows no problems? I would double check the service-port and allowaccess.

With sslvpn you can enable ssl.root  interface with "set allowaccess ssh icmp snmp https" for example. If you have this set, unset it and re-apply in  fortiOS 5.0.xx we ran into issues with set allowaccess not working as expect and it required a reset.

 

Also, In a dialupvpn interface mode, you will do the same thing but on the  exatc dialup interface. Also I would run a diag sniffer packer <interface name> " port 443 or 4443" and see if the tcp SYN is being received.

 

Lastly, make sure any set trusthost allows for the  dialup ipsec ipv4 pool address ranges

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
6403
0 Kudos
JohnAgora
Contributor
In response to emnoc

Created on ‎04-14-2016 02:12 PM

Hello,

 

Allowaccess is properly configured since I can access sometimes (and I've double check it) to the devices.

The VPNs are IPSec.

What I don't get to understand is why SSH and ping works fine.

But HTTPS sometimes works poorly (bad GUI, very slow), sometimes it just don't work and very very rarely it works fine.

The Internet connections is stable.

Are there any know bugs that affect like this? (I haven't found any).

 

Thanks!

6403
0 Kudos
emnoc
Esteemed Contributor III
In response to JohnAgora

Created on ‎04-14-2016 07:23 PM

Could be  TCP/MSS issues since you ssh works fine.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
6403
0 Kudos
JohnAgora
Contributor
In response to emnoc

Created on ‎04-14-2016 08:22 PM

I thought about that, do some testing and the MTU is 1500 (normal).

Anyhow, I put a tcp-mss of 1350. It went a little bit faster sometimes, but I still can't access properly though https...

Any other idea?

6403
0 Kudos
kanya
New Contributor
In response to JohnAgora

Created on ‎06-05-2016 07:51 PM

Hi, I've got exactly the same problem. I can connect to ipsec vpn and everything work as expected. Only problem is when trying to access the fortinet web interface (through port 8443) it just so slow and mostly timeout. Any ideas?

 

Edit: downgrade the firmware to 5.2.3 and the problem is gone

6403
0 Kudos
JohnAgora
Contributor
In response to kanya

Created on ‎06-06-2016 08:30 AM

I haven't found a complete solution.

Anyhow the problem was mainly on OSX, so we use Windows for accessing the devices.

We believe it is an issue with Forticlient (we've also had crashes of the OS).

 

Cheers

6403
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.