Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Adrien
New Contributor

[Solved] VPN-SSL listening on DMZ port, WAN is private IP = Error

Hi All,

 

I'm in a "specific" case where my WAN interface IP is private (I'm into a metropolitan network) and used only for interconnect my networks using static routes.

My DMZ Public Subnet is on "DMZ" interface/Vlan. I use SSL-VPN in Web and Tunnel mode. SSL-VPN is listening on DMZ Interface. In this case, when i'm in the WAN Side, I can connect to the web ssl, put my login and password and after a successfull login i've a white page: (https://myforti.mydomain.net/sslvpn/portal.html)... With Forticlient SSL, it return an empty error after few seconds.

 

When located in a LAN subnet, it is working as expected. VPN Connection to private WAN interface IP work too (but i need to be located into the MAN, can't work from WAN because private IP)

I suspect an internal routing anomaly. Do you have a solution without using Vdom?

 

Regards

4 REPLIES 4
rwpatterson
Valued Contributor III

Check your routing distances. The SSL VPN route distance needs to be shorter than the default gateway distance.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Adrien

Hi,

Thanks for your help! Sorry for the delay...

I was enthusiastic about that, but that does not solve the issue :'(

Static routes tab:

Subnet                    Gateway

0.0.0.0/0           10.249.0.1  Metropolitan_NET (wan1)                   Distance:15 . Priority 0

172.20.130.0/23                      SSL-VPN tunnel interface (ssl.root)  .   Distance:10 .  Priority 0

 

Other ideas? Regards

Adrien
New Contributor

Here is a sample:

Adrien
New Contributor

Issue solved by Fortinet Support. In my configuration i have to add this in config file:

 

firewall # config vpn ssl settings 

firewall (settings) # 

firewall (settings) # set route-source-interface enable 

Labels
Top Kudoed Authors