Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TC_Hessen
New Contributor

SSL VPN reachable at one wan port, but not at another

Hi,

I have the szenario that a ssl vpn (tunnel and web mode) is reachable at both wan ports that are connected to the internet. Since 5.2.4 I cannot reach the portal using wan1, but at wan2. A packet sniffer shows only a syn, but no ack.

 

So, a simple https://public.wan1.ip failes, but https://public.wan2.ip works.

If this a known issue? I plan to downgrade to 5.2.3 for testing and to reconfigure the fgt using a factory default, but not during the productive time.

 

FGT110C with 5.2.4

best regards, TC
best regards, TC
1 Solution
Sylvia

Hm, in both cases a session is established... (I think my filter wasn't the best one, so we see the incoming direction, only).

So an ACK should be sent, but you said, the client didn't receive an ACK...

 

Maybe a routing issue? Can you check this with the packet sniffer:

diag sniffer packet any 'port 10443' 4

 

Sylvia

View solution in original post

4 REPLIES 4
Sylvia
Contributor II

Hey,

 

according to Re: FortiOS v5.2.4 is out.... there are some connection issues with v5.2.4.

 

But just to make sure: can you ping wan1?

Maybe you will see more information in the debug flow:

 

diag deb ena

diag deb flow sho con ena

diag deb flow filter dport 443

diag deb flow filter daddr <ip-of-wan1>

diag deb flow trace start 10

 

Now try to connect again and see what happens...

 

Sylvia

TC_Hessen
New Contributor

Not much :) I have changed the port to 10443, because 443 has to much other traffic at the moment, but the result is the same. 2 tries, wan1 and wan2...

 

2015-07-29 12:15:35 id=20085 trace_id=95 msg="vd-root received a packet(proto=6, ext.ip.foo.bar:57781->wan1.ip.foo.bar:10443) from wan1. flag , seq 2536741931, ack 0, win 64240"
2015-07-29 12:15:35 id=20085 trace_id=95 msg="allocate a new session-0027ca31"
2015-07-29 12:15:38 id=20085 trace_id=96 msg="vd-root received a packet(proto=6, ext.ip.foo.bar:57781->wan1.ip.foo.bar:10443) from wan1. flag , seq 2536741931, ack 0, win 64240"
2015-07-29 12:15:38 id=20085 trace_id=96 msg="Find an existing session, id-0027ca31, original direction"
2015-07-29 12:15:44 id=20085 trace_id=97 msg="vd-root received a packet(proto=6, ext.ip.foo.bar:57781->wan1.ip.foo.bar:10443) from wan1. flag , seq 2536741931, ack 0, win 64240"
2015-07-29 12:15:44 id=20085 trace_id=97 msg="Find an existing session, id-0027ca31, original direction"
2015-07-29 12:16:10 id=20085 trace_id=98 msg="vd-root received a packet(proto=6, ext.ip.foo.bar:57810->wan2.ip.foo.bar:10443) from ppp1. flag , seq 351494270, ack 0, win 64240"
2015-07-29 12:16:10 id=20085 trace_id=98 msg="allocate a new session-0027cb8a"
2015-07-29 12:16:10 id=20085 trace_id=99 msg="vd-root received a packet(proto=6, ext.ip.foo.bar:57810->wan2.ip.foo.bar:10443) from ppp1. flag [.], seq 351494271, ack 1903287276, win 64240"
2015-07-29 12:16:10 id=20085 trace_id=99 msg="Find an existing session, id-0027cb8a, original direction"
2015-07-29 12:16:10 id=20085 trace_id=100 msg="vd-root received a packet(proto=6, ext.ip.foo.bar:57810->wan2.ip.foo.bar:10443) from ppp1. flag [.], seq 351494271, ack 1903287276, win 64240"
2015-07-29 12:16:10 id=20085 trace_id=100 msg="Find an existing session, id-0027cb8a, original direction"
2015-07-29 12:16:11 id=20085 trace_id=101 msg="vd-root received a packet(proto=6, ext.ip.foo.bar:57810->wan2.ip.foo.bar:10443) from ppp1. flag [.], seq 351494380, ack 1903288219, win 63297"
2015-07-29 12:16:11 id=20085 trace_id=101 msg="Find an existing session, id-0027cb8a, original direction"
2015-07-29 12:16:11 id=20085 trace_id=102 msg="vd-root received a packet(proto=6, ext.ip.foo.bar:57810->wan2.ip.foo.bar:10443) from ppp1. flag [F.], seq 351494566, ack 1903288266, win 63250"
2015-07-29 12:16:11 id=20085 trace_id=102 msg="Find an existing session, id-0027cb8a, original direction"
2015-07-29 12:16:11 id=20085 trace_id=103 msg="vd-root received a packet(proto=6, ext.ip.foo.bar:16878->wan2.ip.foo.bar:10443) from ppp1. flag , seq 2068041829, ack 0, win 64240"
2015-07-29 12:16:11 id=20085 trace_id=103 msg="allocate a new session-0027cb92"
2015-07-29 12:16:11 id=20085 trace_id=104 msg="vd-root received a packet(proto=6, ext.ip.foo.bar:16878->wan2.ip.foo.bar:10443) from ppp1. flag [.], seq 2068041830, ack 1010721064, win 64240"
2015-07-29 12:16:11 id=20085 trace_id=104 msg="Find an existing session, id-0027cb92, original direction"

best regards, TC
best regards, TC
Sylvia

Hm, in both cases a session is established... (I think my filter wasn't the best one, so we see the incoming direction, only).

So an ACK should be sent, but you said, the client didn't receive an ACK...

 

Maybe a routing issue? Can you check this with the packet sniffer:

diag sniffer packet any 'port 10443' 4

 

Sylvia

TC_Hessen
New Contributor

Hmm... f... you are right.

 

22.497665 wan1 in ext.ip.foo.bar.65104 -> wan1.ip.foo.bar.10443: syn 582187818
22.497760 ppp1 out wan1.ip.foo.bar.10443 -> ext.ip.foo.bar.65104: syn 1750013977 ack 582187819
25.479696 wan1 in ext.ip.foo.bar.65104 -> wan1.ip.foo.bar.10443: syn 582187818
25.479733 ppp1 out wan1.ip.foo.bar.10443 -> ext.ip.foo.bar.65104: syn 1750013977 ack 582187819

 

Thank's, that was it. I changed the priority of one wan port back to 1, but I have no idea why this has changed.

best regards, TC
best regards, TC
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors