Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sherman_P
Staff
Staff

Created on ‎02-19-2024 09:50 PM Edited on ‎02-20-2024 09:48 PM By Community Manager

Article Id 300167

Troubleshooting Tip: SSL VPN is connected but is not getting the intended IP address from the configured address range

Description

This article describes that the address range configured under ‘config authentication-rule’ will take precedence over what is configured under ‘config vpn ssl settings'.

 

Example:

 

config vpn ssl settings
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "CUSTOM_RANGE"
    set source-interface "port1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"
    config authentication-rule
        edit 1
            set groups "sslvpngroup"
            set portal "full-access"
        next
    end
end

 

config vpn ssl web portal
    edit "full-access"
        set tunnel-mode enable
        set ipv6-tunnel-mode enable
        set web-mode enable
        set ip-pools "SSLVPN_TUNNEL_ADDR1"
        set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
        config bookmark-group
            edit "gui-bookmarks"
            next
        end
    next
end

 

config firewall address
    edit "CUSTOM_RANGE"
        set uuid fd50ff24-cf96-51ee-c2a1-3cc66818b050
        set type iprange
        set start-ip 192.168.1.0
        set end-ip 192.168.1.10
    next
end

 

config firewall address
    edit "SSLVPN_TUNNEL_ADDR1"
        set uuid 0509ed58-bb00-51ee-43cf-7daf4fb4e3ed
        set type iprange
        set start-ip 10.212.134.200
        set end-ip 10.212.134.210
    next
end

 

image.png

In the above configuration, the user connects successfully and the obtained IP comes from the SSLVPN_TUNNEL_ADDR1 address group since it is the one configured under ‘config authentication-rule’.
Scope FortiGate.
Solution

To get the correct IP, always check and verify what is the address range under ‘config authentication-rule’ and configure it as necessary.

Always check the 'tunnel-addr-assigned-method' parameter under the SSL VPN setting. This can only be checked via CLI.
The default is 'first-available'.

FGT (settings) # set tunnel-addr-assigned-method


first-available  <----- Assign the first available address from the pools.
round-robin  <-----  Assign the available address from the pool in a round-robin fashion.

If 'round-robin' is configured, the SSL VPN connection will get its IP from the configured IP Pool under 'config vpn ssl settings' and bypass the IP Pool from the SSL VPN Portal.

 

config vpn ssl settings
    set tunnel-addr-assigned-method round-robin
end

 

ssl.PNG
349
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.