Technical Tip: SSLVPN client to client communication

nithincs · ‎04-22-2020

Description
This articles describes that SSLVPN client needs to communicate with another SSLVPN client.

Solution
Create a new policy as below.

Incoming Interface: ssl.root interface.

Outgoing Interface: ssl.root interface.

Source: all or sslpvn client range (address object) and SSLVPN user group.

Destination: all or sslpvn client range.

Schedule: always.

Service: ALL.

Action: accept.

NAT: disabled.

If split tunnel is enabled in the SSLVPN portal then add SSVPN client subnet to the routing address list in respective SSLVPN portal.

After making changes, test the SSLVPN client to client communication.
Make sure client windows firewall allows this communication.

If the issue is not resolved at this point, open a support ticket at https://support.fortinet.com/ and attach:

- FortiGate config file to a support ticket.

- Output of below commands from sslvpn clients machine.

ipconfig /all
route print
tracert <remote sslvpn client>

- Run below debug commands in FortiGate using ssh session and share output to the ticket as a text file.

dia de reset
dia de flow filter addr x.x.x.x <----- Replace x.x.x.x with source sslvpn client IP.
dia de flow filter proto 1
dia de flow trace start 10000
dia de en

After running the commands, initiate the ping from client pc.
Later disable the debug using below commands.

dia de reset
dia de dis