Skip to Content

How to Fix Unable to access SSL VPN from internal after limiting access to specific host

This article describes that Internal users cannot connect to SSL VPN when a limit access coverage to specific hosts or specific geological locations is set.

Scope

FortiGate.

Solution

Part of the SSL VPN security hardening is to limit access coverage to specific hosts or specific geological locations.

Part of the SSL VPN security hardening is to limit access coverage to specific hosts or specific geological locations.

However, it causes SSL VPN internal users to be unable to access the VPN, even under the allowed geo-location.

However, it causes SSL VPN internal users to be unable to access the VPN, even under the allowed geo-location.

On the packet sniffer, it is possible to confirm that the SSL VPN request is coming from an internal subnet and not from its external public IP; therefore, they are not included in the allowed geolocation.

On the packet sniffer, it is possible to confirm that the SSL VPN request is coming from an internal subnet and not from its external public IP; therefore, they are not included in the allowed geolocation.

To fix it, include the internal LAN subnet on the limit access to specific hosts.

To fix it, include the internal LAN subnet on the limit access to specific hosts.

Results:

The internal user can connect to the SSL VPN.

The internal user can connect to the SSL VPN.