FortiGate SSL VPN Connected but No Access

Introduction

A common issue with FortiGate SSL VPN is when users successfully connect to the VPN, but cannot access internal resources such as servers, shared folders, or internal applications. The VPN appears connected, yet traffic does not pass through as expected.

This guide explains the most common reasons behind this problem and how to fix it step by step using a structured troubleshooting approach.

 Problem Description

• SSL VPN connection status shows Connected
• User receives an IP address
• No access to internal LAN resources
• Ping and browsing fail through the tunnel

This usually happens due to missing policies, routing issues, or incorrect VPN settings.

Common Causes

Missing Firewall Policy (SSL VPN → LAN)

FortiGate requires an explicit firewall policy to allow traffic from SSL VPN users to the internal network.

Required policy:

• Incoming interface: ssl.root
• Outgoing interface: LAN
• Source: SSL VPN users
• Destination: Internal network
• Action: ACCEPT

Without this policy, traffic is blocked by default.

Split Tunnel Misconfiguration

If split tunneling is enabled, only specified networks are routed through the VPN.

Common mistake:

• Internal networks not added to split tunnel routes

Result:

• VPN connects
• No traffic reaches LAN

Missing or Incorrect Routing

FortiGate must know how to route traffic coming from the SSL VPN subnet.

Check:

• Static routes
• Policy routes (if used)

SSL VPN IP pool must be routable.

Address Objects Not Matching

Firewall policies rely on correct address objects.

Common issues:

• Wrong subnet
• Wrong object used in policy
• Overlapping IP ranges

 User Group Not Assigned Correctly

Even if the user authenticates, access depends on:

• User group
• Policy group assignment
• Portal configuration

• 

Step-by-Step Solution

Step 1: Verify SSL VPN Portal Settings

• Check tunnel mode
• Verify split tunnel settings
• Confirm assigned IP pool

Step 2: Create Firewall Policy

Go to Policy & Objects → Firewall Policy

Create policy:

• From: ssl.root
• To: LAN
• Source: SSL VPN users
• Destination: Internal network
• Service: ALL
• Action: ACCEPT
• Logging: ENABLED

Step 3: Check Routing

Ensure FortiGate knows where to send VPN traffic:

• SSL VPN subnet reachable
• No conflicting routes

Step 4: Enable Logs for Troubleshooting

Logs reveal where traffic is blocked.

Check:

• Forward traffic logs
• SSL VPN logs

Step 5: Test Access

• Ping internal gateway
• Access internal IP directly
• Verify traffic counters in policy

Best Practices

• Always log VPN policies
• Keep SSL VPN policies simple
• Use clear address objects
• Document VPN settings

Common Mistakes

• Forgetting ssl.root policy
• Using wrong interface direction
• Enabling split tunnel without routes
• Assuming VPN connection = access

 Final Thoughts

When SSL VPN connects but access is not available, the issue is almost never the VPN itself. In most cases, the real problem lies in firewall policies, routing, or split tunnel configuration. Following a structured troubleshooting approach saves time and prevents unnecessary configuration changes.