- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Problem accessing SSL-VPN from one VDOM to another
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem accessing SSL-VPN from one VDOM to another
Hi,
We have a FG1500D that has lots of VDOMs set up for lots of customers. And now we have noticed that if I´m connected to one of these VDOMs I can´t connect to another VDOMs SSL-VPN using FortiClient. It just hangs at around 40% then timeouts. If I put the same computer on a completely external network the same VPN connection works fine.
The VPN connection point to a public ipaddress.
Any idea on what we need to do to fix this? Or atleast how to troubleshoot it?
Thanks in advance,
//Andreas..
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to explain a little more than just "lots of VDOMs" including the VDOM topology/how they're supposed to be connected each others and where the SSL-VPN client is located/connected to in the topology. I'm assuming there is no connection between customer VDOMs. So you must be connecting to a management vdom or else, which is supposed to have connection to all customer vdoms.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answer.
Ok, to clarify a bit, most VDOMs are completely separate. We have some specific VDOMs that have interVDOM-policys enabled on the same firewall but I don´t think these are involved here.
I am sitting on a customers VDOM(just a laptop on the internal subnet of that VDOM) and tries to access another customers VDOM using the SSL VPN that is set up in that VDOM. That SSL-VPN is used for that customers employees.
Not sure if that explanation helps?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let's say VDOM A your laptop is in, then VDOM B is the SSL-VPN's destination. Then how VDOM A and B get out to the internet? Via a root vdom or both vdom have separate internet circuit/interface in the VDOMs?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The VDOMs have separate WAN interfaces with their own public ipaddresses. Not sure exactly now if the physical interfaces are separated. I could check that if it would help. We have VLAN tags on the external switches and I'm not sure how everything there is connected.
If I do a tracert from my laptop to the other VDOMs external ip I get 2 hops. First in my local internat GW, then it´s the destinations public ip. So the traffic never leaves the firewall since it knows that the destination is local to the hardware. I suspect this is why I get this problem and not when I´m on another external network.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since you saw two hops from the laptop both public IPs on both VDOMs must be in the same subnet on the same vlan. But as long as ping/traceroute can get responses, routing/switching shouldn't be the issue. I think you need to run sslvpn application debugging (diag debug app sslvpn -1) while you try from the laptop.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, those two public ips are in the same subnet.
Where do I see those new logs after I activate it using "diag debug app sslvpn -1"?
Advanced diags on a Fortigate is not my strong side.. ;)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, did some googling.
Typed "diagnose debug enable" and then I got some live logs.
So when I tried connecting I got these that are related:
;--
[326:VDOM-845:88d4]allocSSLConn:295 sconn 0x7f8a6a9a9400 (116:VDOM-845) [326:VDOM-845:88d4]SSL state:before SSL initialization (<my src pub ip>) [326:VDOM-845:88d4]SSL state:before SSL initialization (<my src pub ip>) [326:VDOM-845:88d4]got SNI server name: <target pub ip fqdn> realm (null) [326:VDOM-845:88d4]client cert requirement: no [326:VDOM-845:88d4]SSL state:SSLv3/TLS read client hello (<my src pub ip>) [326:VDOM-845:88d4]SSL state:SSLv3/TLS write server hello (<my src pub ip>) [326:VDOM-845:88d4]SSL state:SSLv3/TLS write certificate (<my src pub ip>) [326:VDOM-845:88d4]SSL state:SSLv3/TLS write key exchange (<my src pub ip>) [326:VDOM-845:88d4]SSL state:SSLv3/TLS write server done (<my src pub ip>) [326:VDOM-845:88d4]SSL state:SSLv3/TLS write server done:system lib(<my src pub ip>) [326:VDOM-845:88d4]Timeout for connection 0x7f8a6a9a9400. [326:VDOM-845:88d4]Destroy sconn 0x7f8a6a9a9400, connSize=7. (VDOM-845) ;--
I can´t see anything interesting here except that it does a timeout.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If that's really all you got, the server side doesn't seem to receive anything after the "client hello". I would compare with successful login output when you connect the same laptop from outiside/internet. Whatever the issue is the issue seems to be on the source VDOM side.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, when a SSLVPN connection works it just gives a lot more messages and continuing with key exchanges and so on. Nothing there tells me what the problem is.
So I think it is a network issues somewhere. I will test doing this between some other VDOMs to see if this is isolated to one VDOM, several or all. My initial guess is that I need to do something in regarding policys/NATs or something to make it allow when the VDOMs are on the same firewall.
Related Posts
Labels
-
FortiGate
6,506 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.