Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
it_nvluong
New Contributor

Created on ‎12-19-2019 05:53 PM

VPN-SSL Can't access destination connected over MPLS Line

Hi, All,

I have one issues and don't know how to resolve it,

our Network Diagram is:

Factory1 in US, Factory2 in SINGAPORE

Factory1 connect to Factory2 by MPLS Line, and it become a LOCAL LAN,

now, at Factory1, I use firewall Fortinet 501E Ver 6.0

I was create VPN-SSL for client remote using.

the problem is when client connect VPN they can't do the Ping to Factory2.

have any one can help me and show me some suggest?

Thanks,

Preview file
414 KB
3843
0 Kudos
4 REPLIES 4
Toshi_Esumi
SuperUser
SuperUser

Created on ‎12-19-2019 08:45 PM

I think you attached a wrong diagram. It us between Hong Kong and Vietrum including Cisco ASA, 88x, Meraki MX, etc. but no FortiGate.

In any way, most likely your problem is the SSL VPN client subnet is not routed via MPLS. Likely the FW or router at Factory2 doesn't have a route for the client subnet. Check what you configured for the SSL VPN and put the static route (assuming not using routing protocol) on the router toward the MPLS interface.

2298
0 Kudos
it_nvluong
New Contributor
In response to Toshi_Esumi

Created on ‎12-19-2019 11:45 PM

Hi,

Thanks for your reply.

Actually, the subnet use for VPN SSL was routing in MPLS and  the problem is:

when client connect VPN to factory1, they tracert ip of factory2, the routing show that, the packet was go through to MPLS router at factory2 and droped at here and can't reach the destination IP in Factory2 LAN.

And i was test assign this subnet in Local LAN at factory1 and it can ping to factory2. it mean the routing between 2 MPLS router is ok. it only.

i would like to send the new Diagram and routing.

 

 

 

Preview file
28 KB
2298
0 Kudos
it_nvluong
New Contributor
In response to it_nvluong

Created on ‎12-20-2019 12:16 AM

Update New diagram

Preview file
116 KB
2298
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to it_nvluong

Created on ‎12-20-2019 08:44 AM

I still think it's a simple routing issue because you said when the VPN client traceroute to the factory2 subnet, it shows factory2's MPLS router's IP. There seems to be a typo in the diagram on factory2 side. The factory2's MPLS interface IP should be in the same subnet with factory1's MPLS interface IP, like 10.32.1.46/30.

What I would suggest is to run a sniffer on the FGT while pinging from the client to make sure it's coming out consistently as you expect. Then you need to set up a set of ACL on LAN side interface of factory2's MPLS Cisco, to see if you can catch those packets there unless if you can get a laptop to the router with a mirror port and run Wireshark there.

My guess it would show in the ACL counters then the problem is beyond the factory2's Cisco router.

2298
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.