ORIGINAL: TC_Hessen I have one stupid problem with the 5.0.6. We have 2 110C and on both we have an ssl vpn. When connection to the first FG with disabled split tunneling, everything works fine. But when connecting to the second FG with split tunneling enabled, I cannot access the management of the unit on its internal ips, neither ping nor ssh or https. Flow trace shows " iprope_in_check() check failed, drop" . That works fine 5.0.5. Can anyone confirm it? FG1: 10.10.1.254 FG2: 10.10.2.254 Case 1 (no split tunneling, connected to FG1): my IP=10.11.1.1 -> FG1 and FG2 accessable Case 2 (split tunneling, connected to FG2): my IP=10.11.2.1 -> FG1 accessable, but and FG2 notI tested split tunnel ssl vpn on a 60D and 200B with no issues connecting to the internal IP of the fortigate. Could this be specific to 110C?
ORIGINAL: isptools I see this day some very nast thing on the GUI (60D/100D/200B) all counters on IPSec-VPNS are 0 (and i know there should be many GB`s going this way). If i look at the tunnel himself i see the traffic ?Sounds like it could be because of hardware acceleration. Do you have npu-offload enabled in your phase-1 settings? If hardware acceleration is enabled, then this is expected behavior. You can disable it, but then you should expect worse performance, higher CPU and such.
I see this day some very nast thing on the GUI (60D/100D/200B) all counters on IPSec-VPNS are 0 (and i know there should be many GB`s going this way). If i look at the tunnel himself i see the traffic ?With policy or interface mode? I just checked with 2 of our 100D clusters with IPSec vpns in interface mode and don' t see any trouble on the counters
its all in policy-mode.Did the IPSec counters work properly before on policy mode? I remember the counters often were either 0 or far from realistic in policy mode - Throughout different 3.x and 4.x Firmware versions...
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.