Description
This article describes an issue where after an upgrade, the SSL VPN return traffic does not go back to the VPN client.
Scope
FortiGate v7.2.6 and later, v7.4.1 and later.
Solution
Working behavior before upgrade:
ssl.root in 10.10.10.10 -> 172.16.0.5: icmp: echo request
servers out 10.10.10.10 -> 172.16.0.5: icmp: echo request
servers in 172.16.0.5 -> 10.10.10.10: icmp: echo reply
ssl.root out 172.16.0.5 -> 10.10.10.10: icmp: echo reply
ssl.root in 10.10.10.10 -> 172.16.0.5: icmp: echo request
servers out 10.10.10.10 -> 172.16.0.5: icmp: echo request
servers in 172.16.0.5 -> 10.10.10.10: icmp: echo reply
ssl.root out 172.16.0.5 -> 10.10.10.10: icmp: echo reply
Behavior not working after upgrade:
ssl.root in 10.10.10.10 -> 172.16.0.5: icmp: echo request
servers out 10.10.10.10 -> 172.16.0.5: icmp: echo request
servers in 172.16.0.5 -> 10.10.10.10: icmp: echo reply <----- No reply back to ssl.root.
ssl.root in 10.10.10.10 -> 172.16.0.5: icmp: echo request
servers out 10.10.10.10 -> 172.16.0.5: icmp: echo request
servers in 172.16.0.5 -> 10.10.10.10: icmp: echo reply
This is likely related to an existing IP pool with the same address as the SSL VPN client network because of changes in the behavior of IP Pools in the newer versions. The unused IP pool should be removed.
Related documents:
IP pools and VIPs are now considered local addresses
Technical Tip: IP pool and virtual IP behavior changes in FortiOS 6.4, 7.0, 7.2, and 7.4
SSL VPN IP address assignments
