Hot!VPN event duplicates in FortiGate firewall.

Author
Mari Muneeswaran Marimuthu
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/06/12 06:15:33
  • Status: offline
2018/06/12 06:31:08 (permalink)
0

VPN event duplicates in FortiGate firewall.

Hi Fortigate firewall team,
 
I have noticed two kind of VPN transaction in my firewall.,
 
I have received two logs with action="tunnel-up" and action="tunnel-down" from same Remote host IP at same time.
 
here, tunnel-type = "ssl-web" || "ssl-tunnel".
 
1st Log:
<190>date=2018-06-12 time=00:30:32 devname=FGT_FW devid=FGT_FW logid="0101039424" type="event" subtype="vpn" level="information" vd="root" logtime=1528126232 logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-web" tunnelid=1664155757 remip=182.x.x.x user="testUser" group="testGrp" dst_host="N/A" reason="login successfully" msg="SSL tunnel established"
 
2nd Log:
<190>date=2018-06-12 time=00:30:34 devname=FGT_FW devid=FGT_FW logid="0101039947" type="event" subtype="vpn" level="information" vd="root" logtime=1528126234 logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-tunnel" tunnelid=1664155757 remip=182.x.x.x tunnelip=10.x.x.x user="testUser" group="testGrp" dst_host="N/A" reason="tunnel established" msg="SSL tunnel established"


I have a doubt on above logs.,
 
1st log which doesn't contain tunnel ip address. but, 2nd log which contains the tunnel ip address.

Why this duplication occurs ?

Thanks,
Mari Muneeswaran Marimuthu.
#1

4 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 1215
    • Scores: 82
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: VPN event duplicates in FortiGate firewall. 2018/06/12 12:22:15 (permalink)
    0
    I think it's because of the "reason". The first one is for user "login successful", then the second one is for "tunnel established" with the tunnel IP.
    #2
    Mari Muneeswaran Marimuthu
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/06/12 06:15:33
    • Status: offline
    Re: VPN event duplicates in FortiGate firewall. 2018/06/12 22:44:33 (permalink)
    0
    @Somashekara Hanumantha Reddy
     
    Please kindly explain this scenario.
    #3
    Mari Muneeswaran Marimuthu
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/06/12 06:15:33
    • Status: offline
    Re: VPN event duplicates in FortiGate firewall. 2018/06/12 23:04:04 (permalink)
    0
    Hi Toshi Esumi,
     
    I received few VPN transaction in between these logs.
     
    My VPN logs in below structure.,
     
    <Tunnel-Up> log with tunnel-type = ssl-web
    <VPN Traffic by the user>
    <Tunnel-Up> log with tunnel-type = ssl-tunnel
    <VPN Traffic by the user>
    <Tunnel-down> log with tunnel-type = ssl-tunnel
    <Tunnel-down> log with tunnel-type = ssl-web
     
    It's confusing. Please clarify my doubt.
     
    Thanks,
    Mari Muneeswaran Marimuthu.
    #4
    Toshi Esumi
    Expert Member
    • Total Posts : 1215
    • Scores: 82
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: VPN event duplicates in FortiGate firewall. 2018/06/13 08:46:52 (permalink)
    0
    Can you post the entire log? If you compare them with "diag debug app sslvpn -1" debug output, they might make sense to you.
    #5
    Jump to:
    © 2018 APG vNext Commercial Version 5.5