Skip to Content

How to fix SSL VPN web portal is not matching the SD-WAN rules

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes how to force and verify the SSL VPN traffic matches the SD-WAN rules.

Scope

SSL VPN Web mode connections.

Solution

SSL VPN Web mode connections.

General Configurations.

SSL VPN Settings:

config vpn ssl settings
set tunnel-ip-pools "VPN_network"
set source-interface "port1" "port3"

SD-WAN SERVICE ID 5 connects SSL VPN users with internal services:

edit 5
set name "SSLVPN_Destination"
set mode sla
set dst "172.20.120.x"
set src "RED-network" "VPN_network"
config sla
edit "Virtual MPLS"
set id 1
set priority-members 4 5 6 7 8 9 10 11\

SSL VPN Web portal with RDP bookmarks:

config vpn ssl web portal
edit "Portal_example"
set tunnel-mode enable
set web-mode enable
set forticlient-download disable
set ip-pools "VPN_network"

config bookmarks
edit "user1"
set apptype rdp
set host "172.20.120.1"
set use-sdwan enable --> Feature already enabled.
next
end

Current user environment conditions.

Routes Installed in FortiGate:

Routing entry for 172.120.20.0/16
Known via "static", distance 1, metric 0, best
* vrf 0 192.168.1.254, via port4
* vrf 0 192.168.2.254, via port5

In the health check ‘Virtual MPLS’,port4 was down. It makes this port invalid in the selection process of SDWAN service ID 5.

However, the traffic directed to the bookmark (172.20.120.x) always takes the port4 interface.

Important concepts about SSL VPN Web mode.

To verify the interface SSL VPN web mode traffic takes, it is possible to run a test directly from the web SSL VPN portal.

This test will say if the FortiGate is using the correct interface and respecting the SD-WAN rules.

When using this connection, FortiGate does not assign an IP from the SSL VPN pool to the PC.

Final solution.

Understanding both concepts, verify the interface traffic takes with a sniffer.

di sniffer packet any 'icmp and host 172.120.20.x' 4 0 l

In the user’s case, traffic takes the port4 interface. The SD-WAN rule 5 was used as source IP for the VPN_network segment. However as the SSL VPN web mode connections do not receive an IP from the pool, traffic will not match this SD-WAN rule.

Traffic was taking implicit SD-WAN rule.

To fix the issue create an SDWAN rule with the following parameters.

edit 6
set name "SSLVPN_Destination2"
set mode sla
set dst "172.20.120.x"
set src all
config sla
edit "Virtual MPLS"
set id 1
set priority-members 4 5 6 7 8 9 10 11\

With this configuration, traffic correctly takes the port5 interface.