Topic Thread

External sites not reachable through ssl-vpn web portal

  • 1.  External sites not reachable through ssl-vpn web portal

    Posted 08-11-2017 05:02

    Hi

    I hope somebody can help me by pointing out another path where to search for the reason and/or the solution to this problem. 

    We have a FG1K5 Cluster with a dedicated vdom for VPN. I configured ssl-vpn with forticlient for our users so that they can browse both internal and external websites. Through FortiClient everything works fine and as expected. If I try to browse an external site (internal sites are working well) using "quick connect" or with a bookmark from the vpn web portal I get the error (from chrome) "[FQDN of vpn gw/fortigate] didn’t send any data. ERR_EMPTY_RESPONSE".

    I see no entries in the traffic log or the "diagnose debug flow trace" (from other vdoms I see some trace hits to the IP so the command should be correct :) ) and a packet capture on all interfaces (multiple captures) with a filter set to the destination IP has no hits.

    With "diagnose debug application sslvpn -1" e get the following lines for that particular destination URL. DNS seems to work as the IP can be successfuly looked up. 

    ...
    [18681:UNIVPN:f41]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
    [18688:UNIVPN:f43]req: /proxy/5b069027/http/baselbern.swissbib.ch/Search/Results?lookfor=sdfsdf&lng=de
    [18688:UNIVPN:f43]deconstruct_session_id:363 decode session id ok, user=[ht10u446],group=[Students],portal=[Uni-Access-Students],host=[...],realm=[],idx=0,auth=16,sid=5b068f41, login=1502457479, access=1502457479
    [18688:UNIVPN:f43]dns_query():177 tried 1 baselbern.swissbib.ch
    [18688:UNIVPN:f43]dns_on_read():156 got result
    [18688:UNIVPN:f43]sslvpn_policy_match:1974 checking web session
    [18688:UNIVPN:f43]remote_ip=[...], user=[ht10u446], iif=82, auth=16, dsthost=[baselbern.swissbib.ch], portal=[Uni-Access-Students] realm=[(null)], dst=131.152.228.111, dport=80, service=[http]
    [18688:UNIVPN:f43]sslvpn_policy_match:2005 policy check cache found
    [18688:UNIVPN:f43]deconstruct_session_id:363 decode session id ok, user=[ht10u446],group=[Students],portal=[Uni-Access-Students],host=[...],realm=[],idx=0,auth=16,sid=5b068f41, login=1502457479, access=1502457479
    [18688:UNIVPN:f43]Destroy sconn 0x7fe99e616400, connSize=0. (UNIVPN)

    Does somebody has a hint where else to look? I think that maybe routing could be different for the web portal, could this be?

    Thank you very much in advance.

    Best regards, Stefan