Helpful ReplyHot!OS 5.2.3 - SSL VPN Portal unreachable at all

Author
Troubleshooter_73
Bronze Member
  • Total Posts : 22
  • Scores: 2
  • Reward points: 0
  • Joined: 2013/05/27 04:31:08
  • Status: offline
2015/07/28 11:38:54 (permalink)
0

OS 5.2.3 - SSL VPN Portal unreachable at all

Hi guys,
 
currently I'm hanging at a really bad issue.
I configured SSL VPN Portal at a FWF 60D, but the Portal is unreachable at all.
Not from External, not from internal.
 
Setup:
Internal LAN --> FWF 60D --> Transfer-Network --> VDSL Router --> WAN
Client --> WAN --> VDSL Router (Port Forward 8443 to FWF) --> FWF 60D --> LAN
 
Try to reach SSL VPN Portal from Internal at the Transfer Network Interface of FWF (not possible)
Try to reach SSL VPN Portal from External WAN over VSDL Router (not possible)
 
Diag Debug Application sslvpn --> no connection
I know, its an easy thing, but I stuck at the moment...
 
No further ideas...

FCNSA 5, FCNSP 5
#1
rwpatterson
Expert Member
  • Total Posts : 8004
  • Scores: 154
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: OS 5.2.3 - SSL VPN Portal unreachable at all 2015/07/28 18:22:17 (permalink)
0
So far, what inward policies do you have in place?

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.18-b0689
FGT60B
FWF60B
FWF80CM (2)
FWF81CM
 
#2
Troubleshooter_73
Bronze Member
  • Total Posts : 22
  • Scores: 2
  • Reward points: 0
  • Joined: 2013/05/27 04:31:08
  • Status: offline
Re: OS 5.2.3 - SSL VPN Portal unreachable at all 2015/07/28 21:31:07 (permalink)
0
ssl.root --> Internal
ssl.root --> WAN1 (Split Tunneling Disabled)

Edit: The system has replaced a FWF 50B with the same config and it worked fine.
I doesn't import the config, it was configured from scratch.
post edited by Troubleshooter_73 - 2015/07/28 21:33:37

FCNSA 5, FCNSP 5
#3
Sylvia
Silver Member
  • Total Posts : 83
  • Scores: 4
  • Reward points: 0
  • Joined: 2004/03/10 07:21:00
  • Status: offline
Re: OS 5.2.3 - SSL VPN Portal unreachable at all 2015/07/29 01:04:47 (permalink)
0
I assume that the Port Forwarding on the VDSL router is working, because SSLVPN works with the old FGT50B in the same setup. If you are not sure about this, try "diag sniffer packet any 'port 8443' 4" to doublecheck.
 
Did you specify a source usergroup in the "ssl.root->internal" policy?
Did you assign a portal for the usergroups in the SSLVPN settings?
 
Sylvia
#4
Troubleshooter_73
Bronze Member
  • Total Posts : 22
  • Scores: 2
  • Reward points: 0
  • Joined: 2013/05/27 04:31:08
  • Status: offline
Re: OS 5.2.3 - SSL VPN Portal unreachable at all 2015/07/29 05:20:42 (permalink)
0
Hi Sylvia,
 
yes of course, the usergroup and Portal mapping is already done and double checked.
 
The forwarding is working for an internal FTP Server (21), for the Management Port (changed to 10443) byself and for an internal Apache (443).
Only the SSLVPN Portal at 8443 isn't working.
But this is the strange Thing what I mean, the Portal is also unreachable from the internal Network.
It Looks like the sslvpnd isn't working!

FCNSA 5, FCNSP 5
#5
Sylvia
Silver Member
  • Total Posts : 83
  • Scores: 4
  • Reward points: 0
  • Joined: 2004/03/10 07:21:00
  • Status: offline
Re: OS 5.2.3 - SSL VPN Portal unreachable at all 2015/07/29 05:52:13 (permalink)
0
Ok, but just to make sure: is "internal" added to the listening interfaces on (WebUI) VPN>SSL>Settings>Listen on Interface?
 
Maybe you can send a screenshot from this site.
And what is the exact output of "diag deb appl sslvpn -1"?
 
#6
Troubleshooter_73
Bronze Member
  • Total Posts : 22
  • Scores: 2
  • Reward points: 0
  • Joined: 2013/05/27 04:31:08
  • Status: offline
Re: OS 5.2.3 - SSL VPN Portal unreachable at all 2015/07/29 06:15:33 (permalink)
0
I dont understand...
Why the internal Interface should be add to listening Interfaces?
Is this a new config?
 
I always add the external WAN Interface only!

FCNSA 5, FCNSP 5
#7
Troubleshooter_73
Bronze Member
  • Total Posts : 22
  • Scores: 2
  • Reward points: 0
  • Joined: 2013/05/27 04:31:08
  • Status: offline
Re: OS 5.2.3 - SSL VPN Portal unreachable at all 2015/07/29 10:23:00 (permalink)
0
Output of SSL VPN Portal doesnt bring up any Messages!
 
strange also if I try to connect to portal:
 
FWF-60D # diagnose vpn ssl statistics
No data yet.
 
FWF-60D # diagnose vpn ssl list
 
FWF-60D #
 
So, nothing, absolut nothing...
 
Is there possibility to check, if the sslvpn deamon is running?

FCNSA 5, FCNSP 5
#8
gschmitt
Gold Member
  • Total Posts : 301
  • Scores: 14
  • Reward points: 0
  • Joined: 2015/04/21 04:25:35
  • Status: offline
Re: OS 5.2.3 - SSL VPN Portal unreachable at all 2015/07/29 23:46:12 (permalink)
0
Is this a new device (as in newly configured) or did you do a firmware update per chance?
 
At VPN > SSL > Settings did you add the external and the internal interface? What is the Listen on Port number?
#9
Sylvia
Silver Member
  • Total Posts : 83
  • Scores: 4
  • Reward points: 0
  • Joined: 2004/03/10 07:21:00
  • Status: offline
Re: OS 5.2.3 - SSL VPN Portal unreachable at all 2015/07/29 23:47:41 (permalink) ☄ Helpfulby Troubleshooter_73 2015/08/10 03:33:17
0
You can see the sslvpn process with diag sys top (maybe you need a longer list: diag sys top 5 70).
You should the the sslvpn process here.
 
You are sure that you do not get any output with diag deb enable and then diag deb appl sslvpn -1 (and then try to connect to the sslvpn)?
 
In this case try the flow command:
diag deb ena
diag deb flow sho con ena
diag deb flow show fun ena
diag deb flow filter port 8443
diag deb flow trace start 20
(then connect to the sslvpn and send us the output)
 
#10
Troubleshooter_73
Bronze Member
  • Total Posts : 22
  • Scores: 2
  • Reward points: 0
  • Joined: 2013/05/27 04:31:08
  • Status: offline
Re: OS 5.2.3 - SSL VPN Portal unreachable at all 2015/07/31 06:40:48 (permalink)
0
At first, thank you for your help Sylvia, your welcome!
Sylvia
You are sure that you do not get any output with diag deb enable and then diag deb appl sslvpn -1 (and then try to connect to the sslvpn)?

 
I tested again and here comes the output...
 
FWF-60D # diagnose debug enable

FWF-60D # diagnose debug application sslvpn -1

FWF-60D # id=20085 trace_id=694 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:27164->192.168.2.254:8443) from wan1. flag [S], seq 1948078413, ack 0, win 65535"
id=20085 trace_id=694 func=init_ip_session_common line=4527 msg="allocate a new session-00008823"
id=20085 trace_id=694 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=695 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:27164->192.168.2.254:8443) from wan1. flag [S], seq 1948078413, ack 0, win 65535"
id=20085 trace_id=695 func=init_ip_session_common line=4527 msg="allocate a new session-00008826"
id=20085 trace_id=695 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=696 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:27164->192.168.2.254:8443) from wan1. flag [S], seq 1948078413, ack 0, win 65535"
id=20085 trace_id=696 func=init_ip_session_common line=4527 msg="allocate a new session-00008828"
id=20085 trace_id=696 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=697 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:27164->192.168.2.254:8443) from wan1. flag [S], seq 1948078413, ack 0, win 65535"
id=20085 trace_id=697 func=init_ip_session_common line=4527 msg="allocate a new session-00008829"
id=20085 trace_id=697 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=698 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:27164->192.168.2.254:8443) from wan1. flag [S], seq 1948078413, ack 0, win 65535"
id=20085 trace_id=698 func=init_ip_session_common line=4527 msg="allocate a new session-0000882a"
id=20085 trace_id=698 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=699 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:27164->192.168.2.254:8443) from wan1. flag [S], seq 1948078413, ack 0, win 65535"
id=20085 trace_id=699 func=init_ip_session_common line=4527 msg="allocate a new session-0000882d"
id=20085 trace_id=699 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=700 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:27164->192.168.2.254:8443) from wan1. flag [S], seq 1948078413, ack 0, win 65535"
id=20085 trace_id=700 func=init_ip_session_common line=4527 msg="allocate a new session-00008834"
id=20085 trace_id=700 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=701 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:27164->192.168.2.254:8443) from wan1. flag [S], seq 1948078413, ack 0, win 65535"
id=20085 trace_id=701 func=init_ip_session_common line=4527 msg="allocate a new session-0000883b"
id=20085 trace_id=701 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"

 
Ok, the output of diag sys top 5 70

newcli      912      R      28.5     0.8
            sshd      882      S      14.2     0.6
         pyfcgid      801      S       0.0     1.9
         pyfcgid      800      S       0.0     1.8
         pyfcgid      802      S       0.0     1.7
         pyfcgid      798      S       0.0     1.3
         cmdbsvr       38      S       0.0     1.2
         cw_wtpd      100      S       0.0     1.0
         miglogd       58      S       0.0     1.0
          httpsd      898      S       0.0     1.0
       ipshelper       73      S <     0.0     0.9
          httpsd      900      S       0.0     0.9
          httpsd      897      S       0.0     0.9
          httpsd       60      S       0.0     0.9
          cu_acd      103      S       0.0     0.8
          newcli      883      S       0.0     0.8
          cw_acd       98      S       0.0     0.8
           fgfmd       97      S       0.0     0.7
         src-vis       86      S       0.0     0.7
            iked       78      S       0.0     0.6
         updated       79      S       0.0     0.6
             imd       77      S       0.0     0.6
        dnsproxy       95      S       0.0     0.6
       forticldd       71      S       0.0     0.6
       forticron       70      S       0.0     0.6
            pimd       54      S       0.0     0.6
           authd       72      S       0.0     0.6
          fcnacd       74      S       0.0     0.6
           snmpd       83      S       0.0     0.5
       eap_proxy       96      S       0.0     0.5
           dhcpd       85      S       0.0     0.5
  zebos_launcher       46      S       0.0     0.5
          fnbamd       67      S       0.0     0.5
            sshd       88      S       0.0     0.5
           quard       91      S       0.0     0.5
      fortilinkd      102      S       0.0     0.5
         uploadd       57      S       0.0     0.5
            ntpd       87      S <     0.0     0.5
       fclicense       68      S       0.0     0.5
      ipsmonitor       64      S       0.0     0.5
           sqldb       76      S       0.0     0.5
           getty       63      S <     0.0     0.5
       alertmail       94      S       0.0     0.5
        kmiglogd       59      S       0.0     0.5
         telnetd       90      S       0.0     0.5
         wpad_ac       99      S       0.0     0.5
  merged_daemons       66      S       0.0     0.5
    swctrl_authd      104      S       0.0     0.5
             fsd      107      S       0.0     0.5
        httpclid       75      S       0.0     0.5
 initXXXXXXXXXXX        1      S       0.0     0.5
             nsm       47      S       0.0     0.2
             imi       61      S       0.0     0.2
            bgpd       52      S       0.0     0.1
           ospfd       50      S       0.0     0.1
           isisd       53      S       0.0     0.1
          ospf6d       51      S       0.0     0.1
           pim6d       55      S       0.0     0.1
            pdmd       56      S       0.0     0.1
            ripd       48      S       0.0     0.1
          ripngd       49      S       0.0     0.1
         usbmuxd      106      S       0.0     0.0

 
Sylvia
In this case try the flow command:
diag deb ena
diag deb flow sho con ena
diag deb flow show fun ena
diag deb flow filter port 8443
diag deb flow trace start 20
(then connect to the sslvpn and send us the output)
 

FWF-60D # id=20085 trace_id=674 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:3072->192.168.2.254:8443) from wan1. flag [S], seq 3571483839, ack 0, win 65535"
id=20085 trace_id=674 func=init_ip_session_common line=4527 msg="allocate a new session-000086f1"
id=20085 trace_id=674 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=675 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:3072->192.168.2.254:8443) from wan1. flag [S], seq 3571483839, ack 0, win 65535"
id=20085 trace_id=675 func=init_ip_session_common line=4527 msg="allocate a new session-000086f4"
id=20085 trace_id=675 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=676 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:3072->192.168.2.254:8443) from wan1. flag [S], seq 3571483839, ack 0, win 65535"
id=20085 trace_id=676 func=init_ip_session_common line=4527 msg="allocate a new session-000086f5"
id=20085 trace_id=676 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=677 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:3072->192.168.2.254:8443) from wan1. flag [S], seq 3571483839, ack 0, win 65535"
id=20085 trace_id=677 func=init_ip_session_common line=4527 msg="allocate a new session-000086f6"
id=20085 trace_id=677 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=678 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:3072->192.168.2.254:8443) from wan1. flag [S], seq 3571483839, ack 0, win 65535"
id=20085 trace_id=678 func=init_ip_session_common line=4527 msg="allocate a new session-000086f7"
id=20085 trace_id=678 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=679 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:3072->192.168.2.254:8443) from wan1. flag [S], seq 3571483839, ack 0, win 65535"
id=20085 trace_id=679 func=init_ip_session_common line=4527 msg="allocate a new session-000086f9"
id=20085 trace_id=679 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=680 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:3072->192.168.2.254:8443) from wan1. flag [S], seq 3571483839, ack 0, win 65535"
id=20085 trace_id=680 func=init_ip_session_common line=4527 msg="allocate a new session-000086fa"
id=20085 trace_id=680 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=681 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:3072->192.168.2.254:8443) from wan1. flag [S], seq 3571483839, ack 0, win 65535"
id=20085 trace_id=681 func=init_ip_session_common line=4527 msg="allocate a new session-000086fb"
id=20085 trace_id=681 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=682 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:3072->192.168.2.254:8443) from wan1. flag [S], seq 3571483839, ack 0, win 65535"
id=20085 trace_id=682 func=init_ip_session_common line=4527 msg="allocate a new session-000086fc"
id=20085 trace_id=682 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=683 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 80.187.96.74:9885->192.168.2.254:8443) from wan1. flag [S], seq 3571483839, ack 0, win 65535"
id=20085 trace_id=683 func=init_ip_session_common line=4527 msg="allocate a new session-00008701"
id=20085 trace_id=683 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"

 
If I see the error code
msg="iprope_in_check() check failed on policy 0, drop"

I assume the sslvpnd isn't running, because the root cause is in 90% of cases like this a denied access at the interface or closed port, but in my case I triple checked the SSL-VPN config and it is listening at WAN1 and uses the port 8443.
At the VDSL Router the port forwarding is working, as you can see in the flow trace...
 

 
A Reboot of Appliance doesn't work at all.
 
I think I have to open a ticket at fortinet, because I have no idea and it was never as hard like here to implement a SSL-VPN access...

Attached Image(s)


FCNSA 5, FCNSP 5
#11
it@noble.com.hk
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/03/27 21:37:18
  • Status: offline
Re: OS 5.2.3 - SSL VPN Portal unreachable at all 2015/08/04 20:05:23 (permalink)
0
I had this problem as before, my solution is downgrade to 5.2.1.
You can search the forum that have other people have this problem and downgrade also.  
#12
Sylvia
Silver Member
  • Total Posts : 83
  • Scores: 4
  • Reward points: 0
  • Joined: 2004/03/10 07:21:00
  • Status: offline
Re: OS 5.2.3 - SSL VPN Portal unreachable at all 2015/08/04 23:39:21 (permalink) ☄ Helpfulby Troubleshooter_73 2015/08/10 03:33:00
0
Hey Troubleshooter_73,
 
I never experienced the problem that the sslvpnd is not running. v5.2.3 is ok for sslvpn in my opinion. There's just the fact the the sslvpn settings and firewall policies have to be configured differently then before. That's what produces most trouble for us.
 
id=20085 trace_id=675 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
Normally this says that there is no matching firewall policy for this traffic, so it's drop by policy 0.
 
Do you have a wan1->ssl.root policy with source usergroup configured?
 
Sylvia
#13
ykonstantakopoulos@crypteianetworks.com
New Member
  • Total Posts : 13
  • Scores: 2
  • Reward points: 0
  • Joined: 2013/06/11 02:50:03
  • Status: offline
Re: OS 5.2.3 - SSL VPN Portal unreachable at all 2015/08/10 03:00:25 (permalink) ☄ Helpfulby Troubleshooter_73 2015/08/10 03:32:47
0
Hello,
 
I totally agree with Sylvia.
 
could you please check or even share your firewall policies for SSL VPN? You need a policy to firstly authenticate the SSL VPN users.  
#14
Troubleshooter_73
Bronze Member
  • Total Posts : 22
  • Scores: 2
  • Reward points: 0
  • Joined: 2013/05/27 04:31:08
  • Status: offline
Re: OS 5.2.3 - SSL VPN Portal unreachable at all 2015/08/10 03:30:57 (permalink) ☄ Helpfulby slavko 2017/04/28 08:31:43
5 (1)
Fixed!

The Usergroup was missing in the policy!

Thanx to all for the support!

FCNSA 5, FCNSP 5
#15
TuncayBAS
Gold Member
  • Total Posts : 195
  • Scores: 10
  • Reward points: 0
  • Joined: 2005/07/01 03:17:46
  • Location: Ankara / Turkey
  • Status: offline
Re: OS 5.2.3 - SSL VPN Portal unreachable at all 2015/08/10 03:36:46 (permalink)
0
Please set folloving commands.
 
config vpn ssl setting
config authentication-rule
edit 1
unset source-interface
end
end
 
 
 

Tuncay BAS
RZK Muhendislik Turkey
NSE 4 5 6
FCESP v5
#16
TuncayBAS
Gold Member
  • Total Posts : 195
  • Scores: 10
  • Reward points: 0
  • Joined: 2005/07/01 03:17:46
  • Location: Ankara / Turkey
  • Status: offline
Re: OS 5.2.3 - SSL VPN Portal unreachable at all 2015/08/12 07:40:44 (permalink)
0
Was there improvement?

Tuncay BAS
RZK Muhendislik Turkey
NSE 4 5 6
FCESP v5
#17
Adeboje
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/04/21 09:53:15
  • Status: offline
Re: OS 5.2.3 - SSL VPN Portal unreachable at all 2016/07/15 08:11:45 (permalink)
0
Hi ,
 
How can I make Linux ios to be available for forticlient VPN 
#18
fgarza13
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/08/29 07:03:34
  • Status: offline
Re: OS 5.2.3 - SSL VPN Portal unreachable at all 2016/08/29 07:31:59 (permalink)
0
I'm having the same issue.
I have done diag sys top 10 60 and I can't see sslvpnd daemon, and I have done a diag snnifer packet capture with the filter 'port tcp <port-SSL-VPN-Portal> (in my case is 4443), and I only see SYN packets from me (LAN or WAN), but I never see an ACK or SYN packet from FortiGate.
Also, I tried to access with FortiClient, and the service is Unreachable.
The FortiGate is 300D 5.2.5 GA.
#19
onlinejul
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/01/03 01:35:43
  • Status: offline
Re: OS 5.2.3 - SSL VPN Portal unreachable at all 2017/01/03 02:01:42 (permalink)
0
Hi everyone,
 
I don't know if my contribution will help others but I ran into a similar issue and here is how it was solved :
 
1. Issue encountered
 
The VPN SSL was working on a Fortigate 60C unit. After upgrading the firmware to 5.2.10build742, the VPN SSL wasn't working anymore. Indeed, there ares some number of parameters that needed to be configured differently due to the firmware's new version. After applying the appropriate changes, the VPN SSL portal wasn't reachable at all (external IP or internal IP) from our Wan1 interface but was only reachable from the Wan2 interface. Previously, it was working from both interfaces.
 
2. Solution applied
 
After checking the VPN configuration through the CLI, it appeared that the "config authentication-rule/source-interface and source-address" parameters were still present likely inherited from the previous settings before upgrading the unit. That seemed to be the problem because those settings are specified in a different location in the latest firmware version. Removing those parameters in the CLI allowed the VPN SSL to work again from all required interfaces (Wan1 and Wan2).
 
Steps followed :
 
Connect to the CLI or via SSH
 
config vpn ssl settings 
show
config vpn ssl settings
    set servercert "cert"
    set idle-timeout 0
    set tunnel-ip-pools "Your_VPN_SSL"
    set dns-suffix "Your_Domain"
    set port 012345
    set source-interface "wan2" "wan1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "Your_Portal"
        config authentication-rule
            edit 1
                set source-interface "wan2"
                set source-address "all"
                set groups "Your_VPN_SSL_Group"
                set portal "Your_Portal"
            next
    end
end
 
config vpn ssl settings
config authentication-rule
edit 1
unset source-interface
 
show
config vpn ssl settings
    set servercert "cert"
    set idle-timeout 0
    set tunnel-ip-pools "Your_VPN_SSL"
    set dns-suffix "Your_Domain"
    set port 012345
    set source-interface "wan2" "wan1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "Your_Portal"
        config authentication-rule
            edit 1
                set groups "Your_VPN_SSL_Group"
                set portal "Your_Portal"
            next
    end
end
 
I hope this can help some people.
 
Regards to all
post edited by onlinejul - 2017/01/03 02:02:55
#20
Jump to:
© 2017 APG vNext Commercial Version 5.5