Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mari_Muneeswaran_Mar
New Contributor

VPN event duplicates in FortiGate firewall.

Hi Fortigate firewall team,

 

I have noticed two kind of VPN transaction in my firewall.,

 

I have received two logs with action="tunnel-up" and action="tunnel-down" from same Remote host IP at same time.

 

here, tunnel-type = "ssl-web" || "ssl-tunnel".

 

1st Log:

<190>date=2018-06-12 time=00:30:32 devname=FGT_FW devid=FGT_FW logid="0101039424" type="event" subtype="vpn" level="information" vd="root" logtime=1528126232 logdesc="SSL VPN tunnel up" [style="background-color: #ffff00;"]action="tunnel-up"[/style] [style="background-color: #ff0000;"]tunneltype="ssl-web"[/style] tunnelid=1664155757 [style="background-color: #3366ff;"]remip=182.x.x.x[/style] user="testUser" group="testGrp" dst_host="N/A" reason="login successfully" msg="SSL tunnel established"

 

2nd Log:

<190>date=2018-06-12 time=00:30:34 devname=FGT_FW devid=FGT_FW logid="0101039947" type="event" subtype="vpn" level="information" vd="root" logtime=1528126234 logdesc="SSL VPN tunnel up" [style="background-color: #ffff00;"]action="tunnel-up"[/style] [style="background-color: #ff0000;"]tunneltype="ssl-tunnel"[/style] tunnelid=1664155757 [style="background-color: #3366ff;"]remip=182.x.x.x[/style] [style="background-color: #00ffff;"]tunnelip=10.x.x.x[/style] user="testUser" group="testGrp" dst_host="N/A" reason="tunnel established" msg="SSL tunnel established"

I have a doubt on above logs.,

 

1st log which doesn't contain tunnel ip address. but, 2nd log which contains the tunnel ip address. Why this duplication occurs ? Thanks,

Mari Muneeswaran Marimuthu.

4 REPLIES 4
Toshi_Esumi
Esteemed Contributor II

I think it's because of the "reason". The first one is for user "login successful", then the second one is for "tunnel established" with the tunnel IP.

Mari_Muneeswaran_Mar
New Contributor

@Somashekara Hanumantha Reddy

 

Please kindly explain this scenario.

Mari_Muneeswaran_Mar
New Contributor

Hi Toshi Esumi,

 

I received few VPN transaction in between these logs.

 

My VPN logs in below structure.,

 

<Tunnel-Up> log with tunnel-type = ssl-web

<VPN Traffic by the user>

<Tunnel-Up> log with tunnel-type = ssl-tunnel

<VPN Traffic by the user>

<Tunnel-down> log with tunnel-type = ssl-tunnel

<Tunnel-down> log with tunnel-type = ssl-web

 

It's confusing. Please clarify my doubt.

 

Thanks,

Mari Muneeswaran Marimuthu.

Toshi_Esumi

Can you post the entire log? If you compare them with "diag debug app sslvpn -1" debug output, they might make sense to you.