Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
arx_man
New Contributor

[Fortigate 90D v5.2.9] VPN SSL no reply

Hello!

The VPN SSL did work fine until recently when we updated to fw 5.2.9 (at least I think that's the reason, I'm not entirely sure when exactly the problem occurred for the first time). We have 3 WANS and WAN1 (62.178.xxx.xxx) is exposed to provide web access for vpn. The problem is that when a user tries to access the web portal the connection times out. The reason seems to be that the fortigate tries to reply with the correct ip on the wrong WAN, WAN2 instead of WAN1:

 

2495.680823 wan1 in 84.112.xxx.xxx.52185 -> 62.178.xxx.xxx.10443: syn 3851228698 2495.681132 wan2 out 62.178.xxx.xxx.10443 -> 84.112.xxx.xxx.52185: syn 1653073614 ack 3851228699 2506.868426 wan2 out 62.178.xxx.xxx.10443 -> 84.112.xxx.xxx.52178: syn 2500829585 ack 3479697041 2507.668398 wan2 out 62.178.xxx.xxx.10443 -> 84.112.xxx.xxx.52185: syn 1653073614 ack 3851228699 2510.668405 wan2 out 62.178.xxx.xxx.10443 -> 84.112.xxx.xxx.52179: syn 3003834394 ack 2372073390 2511.468412 wan2 out 62.178.xxx.xxx.10443 -> 84.112.xxx.xxx.52180: syn 3625665206 ack 2630344925 2531.668429 wan2 out 62.178.xxx.xxx.10443 -> 84.112.xxx.xxx.52185: syn 1653073614 ack 3851228699 2555.068349 wan2 out 62.178.xxx.xxx.10443 -> 84.112.xxx.xxx.52178: syn 2500829585 ack 3479697041 2558.868363 wan2 out 62.178.xxx.xxx.10443 -> 84.112.xxx.xxx.52179: syn 3003834394 ack 2372073390 2559.668361 wan2 out 62.178.xxx.xxx.10443 -> 84.112.xxx.xxx.52180: syn 3625665206 ack 2630344925 2579.868372 wan2 out 62.178.xxx.xxx.10443 -> 84.112.xxx.xxx.52185: syn 1653073614 ack 3851228699

 

All WANS have the same distance and the same priority. If I decrease the priority for WAN2 and WAN3 and leave WAN1 with the highest priority the connection works, but only for a short time, then it fails again for unknown reasons. I couldn't figure out where to configure the outgoing interface or how to deal with this issue. I'd be happy to supply additional information if required.

 

Thank you for your help.

 

2 REPLIES 2
telecosistem
New Contributor

Hello,

1) Firstly after any upgrade is mandatory use the next command to check any wrong syntax.

              diagnose debug config-error-log read

 

2) Send a output of the portal ssl settings.

 

Best regards,

Follow us: [link]https://networkingcontrol.wordpress.com[/link]

arx_man

Hello!

 

Thank you for your answer. The command you posted in 1) returned no results. I'm not too familiar with these fortigate devices so I hope I am indeed providing the info you requested:

 

config vpn ssl settings     set servercert "Fortinet_Factory"     set idle-timeout 600     set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"     set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"     set wins-server1 10.5.9.7     set source-interface "wan1"     set source-address "all"     set source-address6 "all"     set default-portal "full-access"         config authentication-rule             edit 1                 set groups "vpnuser"                 set portal "full-access"             next         end end

 

Thanks again.