- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SSL VPN not connecting on secondary WAN interface
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL VPN not connecting on secondary WAN interface
Hello all!
Wonder if anyone can help with this issue..
I have a 60F running 7.2.3 and my SSL VPN works fine on WAN1 that is a static IP - both via FortiClient and web browser.
I have additional 2 WAN interfaces that are PPPoE based that are also enabled for SSL VPN however they don't work via either FortiClient or web browser. FortiClient gets to 40% before dropping and Web browser states 'Connection reset'
Both interfaces are pingable allow me to access the admin GUI via HTTPS on an alternative port
The SSL VPN debug shows the following:
[249:root:1e]allocSSLConn:306 sconn 0x7f8cab1800 (0:root)
[249:root:1e]Destroy sconn 0x7f8cab1800, connSize=0. (root)
[250:root:1e]allocSSLConn:306 sconn 0x7f8cab1800 (0:root)
[250:root:1e]Destroy sconn 0x7f8cab1800, connSize=0. (root)
[251:root:1e]allocSSLConn:306 sconn 0x7f8cab1800 (0:root)
[251:root:1e]Destroy sconn 0x7f8cab1800, connSize=0. (root)
[252:root:1e]allocSSLConn:306 sconn 0x7f8cab1800 (0:root)
[252:root:1e]Destroy sconn 0x7f8cab1800, connSize=0. (root)
[246:root:1f]allocSSLConn:306 sconn 0x7f8cab1800 (0:root)
[246:root:1f]Destroy sconn 0x7f8cab1800, connSize=0. (root)
Hoping that someone can give me a clue as to why this is happening.
TIA for any guidance
Labels:
- Labels:
-
FortiClient
-
FortiGate
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey there,
The debug above is only saying that an ssl sessions cannot be established / it's torn down.
That can be due to many reasons.
You need to check what other messages debug is showing.
1. I would start with a sniffer to see if your connection attempt arrives at the firewall.
diagnose sniffer packet any 'host <client public ip> and tcp port <ssl vpn port>' 4 0 a
2. If there is 2 way traffic, check if you match the correct policy.
diag debug flow filter addr <IPADDRESSOFTHECLIENT>
diag debug console timestamp enable
diag debug flow show iprope enable
diag debug flow show function-name enable
diag debug enable
diag debug flow trace start 100
(di de di - to stop it)
3. If you're matching the correct policy then you can run some sslvpn debug.
diag debug reset
diagnose debug cons time en
diag debug application fnbamd -1
diagnose debug app sslvpn -1
dia vpn ssl debug-filter src-addr4 x.x.x.x
diagnose debug enable
(di de di - to stop it)
That should show some more details. See if you can spot the reason.
And review your config.
You can quickly compare the working one with the nonworking one side by side, check: user, group, auth server, firewall policy, ssl vpn settings, ssl vpn rules, portals/realms.
That should help you to spot a config issue if there is one.
Hope this helps. Let me know how it goes.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Make sure you see default gateway routes (0.0.0.0) for all interfaces in # get router info routing all
- Enable replying from the same interface, as described here https://community.fortinet.com/t5/Support-Forum/SSL-VPN-dual-interface/td-p/212882
- Make sure your authentication rule sin SSL VPN settings are not limiting access to just a single interface # show vpn ssl settings
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Related Posts
- BGP Peering - My Fortigate -... 108 Views
- Connecting Two SIP Trunks with Different... 256 Views
- Cisco Multicast Ping ICMP reply not... 203 Views
- Use previously created VLANs (internal interface)... 240 Views
- 81F updated the version (7.2.4 ->7.2.8)... 230 Views
Labels
-
FortiGate
6,489 -
FortiClient
1,294 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
331 -
FortiClient EMS
260 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
57 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
18 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.