FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
js2
Staff
Staff
Article Id 197908

Description

 

This article describes possible causes when SSL VPN is not getting connected and when the traffic reaches the firewall, but the firewall does not respond.

 

Scope

 

FortiGate.

Solution


Verify with authentication, route and policy.
For more details, refer to the configuration guide for SSL VPN.


Take a packet capture on the firewall and ensure the traffic is received.
In this case, the SYN packet is sent by the client. However, the firewall does not respond with SYN+ACK.

 

2020-04-23 07:32:35.980933 wan in 1.1.1.1.55031 -> 4.5.9.2.10443: syn 2487955987
2020-04-23 07:32:36.980701 wan in 1.1.1.1.55031 -> 4.5.9.2.10443: syn 2487955987
2020-04-23 07:32:38.981467 wan in 1.1.1.1.55031 -> 4.5.9.2.10443: syn 2487955987

 

Verify if there was any crash observed for the SSLVPND process.

 

diag debug crashlog read

 

Capture a debug log and verify if any drop occurred.

 

id=20085 trace_id=1 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=6, 1.1.1.1:10568->4.5.9.2:10443) from lan4. flag [S], seq 1191361412, ack 0, win 8192"
id=20085 trace_id=1 func=init_ip_session_common line=5666 msg="allocate a new session-000133ab"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2596 msg="find a route: flag=80000000 gw-4.5.9.2 via root"
id=20085 trace_id=1 func=fw_local_in_handler line=420 msg="iprope_in_check() check failed on policy 0, drop"

 

Check if there is any ‘source-address-negate’ option enabled in SSL VPN settings.
Any 'source-address' listed under SSL VPN settings will be blocked.


Note: Do not include all addresses. Doing so will cause the firewall to drop all VPN connections.

 

config vpn ssl settings

set source-address-negate {enable | disable}

 

Check the kernel iprope was installed correctly, particularly the iprope entry with <SSL-VPN destination port>.

Run the following diagnostics commands on the target FortiGate:

 

diagnose netlink interface list <SSL listeining port>

diagnose firewall iprope list 10000e

 

Related article:
VPN SSL settings - FortiGate CLI reference
.