Follow

SSL-VPN Troubleshooting

 

Troubleshooting SSL VPN issues can be time consuming.

To better understand the issue good information needs to be gathered.

 

Helpful facts / First things to check

Is the User configured properly? Is the software client? Setup instructions 

 

The VPN is split tunnel and only sends traffic to the Zone networks in the OBR Portal.

The SSL-VPN tunnel time times out after 10 minutes of inactivity to the OBR network, and after 8 hours of total connectivity.

OmniNet VPN IP's are in the 10.212.0.0/16 range. Each site will have a smaller pool within 10.212.XX.0/24

Ensure that internal Firewalls will allow connections from this range.

    -- Example: Window's Server Firewall is set by default to only allow traffic from the subnet of the IP address it has.

 

Routing issues will occur if the end user's network subnet is the same as the office behind the OBR.

     -- Example: End user's subnet is 192.168.0.0/24, and the OmniBridge's subnet is 192.168.0.0/24

 

SSL VPN connections to an OBR will not work from behind an OBR. Ensure testing is done outside of an OBR network.

 

End User's connection

- Has the user's home internet been cleared of packet loss or high latency?  
-> Remote onto your source client and ping a few public services for a bit and make sure there's no packet loss.  

- Check for consistent latency for their home internet
-> run a "ping 1.1.1.1 -t" for at least 500 pings and then review results

- Is the person connected wirelessly? Have they tried switching to wired and comparing?

- Has the forticlient been updated?  

https://www.forticlient.com/downloads 

- Has the FortiClient been fully reinstalled?  

 

Questions and Answers to send to Support

The What:


- What  is the problem exhibited?
- What  error messages are received?  (Have end user provide any error messages as screenshots or copy/paste)


The Who:

- All VPN users have issues simultaneously, or do they appear to be random events?
(Everyone on SSL-VPN at the same time?)
- Specific users? 
(Provide which user account)

- Is each account assigned to an individual user? 
(Make sure people aren't sharing accounts)


The When:


- All day or only certain hours?
(Have them right down a few times, including the most recent)

- Issue exhibited at consistent intervals, or is it sporadic? Does it happen during peak hours?
(Record if it happens on average after an X amount of time)

- Was it previously reliable?
(How long was it reliable for and when did it stop)

- If it is a disconnect, are they able to reconnect right after? 
(Include errors if not)

The Where:

- What ISP are they on?
(If multiple users, are they on similar ISP's?)
- Test from a persons computer experiencing issues. 
-> From their source network run winmtr and trace to your assigned ssl-vpn gateway FWDN name or IP
(Normally includes a hostname.mdsremote.com) where "hostname is a unique value)

 

 

Custom-DNS for SSL-VPN

How to:

Go to the "Remote Access" section and then go to "SSL-VPN" and click the slider for "Custom DNS"

mceclip0.png

From there, you can fill in the specific DNS servers you'd like, as well as DNS-Suffix

mceclip1.png

 

 




Have more questions? Submit a request