Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Bruisert
New Contributor

SSL VPN over VLAN Interface on WAN

To connect directly to my ISP (PPPoE on Fibre) I need to use a VLAN as they need VLAN ID = 10.

 

So I created a VLAN sub interface on the WAN port, and it connects well. This is a new 61F with firmware at 7.2.0

 

Everything I need works well, however my SSL VPN will not complete the connection.

 

Using the Forticlient VPN Only I get 40% through the connection and then:

Warning. Failed to establish the VPN connection. This may be caused by a mismatch in the TLS version. .... (-5029)  The Win 10 PC this is running on has TLS 1.1, 1.2 and 1.3 running.

 

Use the web access, I can login and then try to use RDP. It starts connecting but then fails with a message of "Connection closed!"

 

Looking at "Log & Report > System Events > VPN Events" I can see the test connection opening and closing, but not the VPN tunnel opening.  (SSL-exit-error; SSL-alerts)

 

I also reviewed logs, and in summary found this: failure reason="DH lib"

 

Does the WAN config with the VLAN approach that I've set up support what I'm trying to do?  (I'm trying to avoid using the added hardware of an ISP router configured as a bridge)

Any other suggestions welcome.

3 REPLIES 3
sjoshi
Staff
Staff

Hi Bruisert,

 

Thank you for posting to the Fortinet Community Forum.

 

As per your problem description I can understand that you are facing issue while connecting to ssl vpn and it is getting stuck at 40%

 

As you have asked "Does the WAN config with the VLAN approach that I've set up support what I'm trying to do"//
Yes, we can configured the ISP link in the vlan and call the same vlan interface in the ssl vpn settings as the server interface

 

You have got the following error
"This may be caused by a mismatch in the TLS version. .... (-5029)"

 

Please share me the below output.

 

SSH1:-
diag debug reset
diagnose debug console timestamp en
diagnose vpn ssl debug-filter src-addr4 x.x.x.x - Here x.x.x.x is the public IP of the user connecting.
diag debug appl sslvpn -1
diag debug appl fn -1
diag debug enable

wait till the VPN disconnect, disable the logs by executing

diag debug disable
diag debug reset

 

SSH2:-
config vpn ssl settings
get

Cross verified the following settings once as you have mentioned
"The Win 10 PC this is running on has TLS 1.1, 1.2 and 1.3 running."

 

Also please go through the link for you reference:-
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Possible-reasons-for-FortiClient-SSL...

 

Let us know if this helps.

 

Thanks

Salon Raj Joshi
Bruisert

Thanks. In seeing through the above direction I found the following:

 

  1. SSL VPN App - I still can't get the VPN app from the Windows store to work. Is this expected to work?  I use ?ice=1 at the end of the URL to ignore certificate issues, and use the custom port assigned.
  2. SSL VPN Forticlent VPN only - Yay, I got this working. Turns out the custom SSL port being used was not persisting when updated in the 'custom port' field, only when entered within the Remote Gateway URL field.  Seems I'd missed this will all the other 'noise' going on.
  3. SSL VPN Web - Still fails when trying to use RDT. Not too concerned here as I don't intend using this service.

 

Please answer point 1 above, otherwise thanks for your support and I'm good to go now.

sjoshi

Hi Bruisert,

 

You can download the forticlient vpn app from your support portal.

 

Please find the link for your reference:-

https://community.fortinet.com/t5/FortiClient/Technical-Tip-How-to-download-FortiClient-offline-inst...

 

Thanks

 

 

Salon Raj Joshi
Labels
Top Kudoed Authors