Use the following diagnose commands to identify SSL VPN issues:
1. Display debug messages
To display debug messages for SSL VPN, use the following command:
diagnose debug application sslvpn -1
This command enables debugging of SSL VPN with a debug level of -1. The -1 debug level produces detailed results.
2. Verify the debug configuration
To verify the debug configuration, use the following command:
diagnose debug info debug output: disable console timestamp: disable console no user log message: disable sslvpn debug level: -1 (0xffffffff) CLI debug level: 3
This output verifies that SSL VPN debugging is enabled with a debug level of -1, and shows which filters are in place. The output above indicates that debug output is disabled, so debug messages are not displayed. The output also indicates that debugging isn’t enabled for any software systems.
3. Display debug messages
To enable displaying debug messages, use the following command:
diagnose debug enable
To view the debug messages, log into the SSL VPN portal. The CLI displays debug output similar to the following:
FGT60C3G10002814 # [282:root]SSL state:before/accept initialization (172.20.120.12) [282:root]SSL state:SSLv3 read client hello A (172.20.120.12) [282:root]SSL state:SSLv3 write server hello A (172.20.120.12) [282:root]SSL state:SSLv3 write change cipher spec A (172.20.120.12) [282:root]SSL state:SSLv3 write finished B (172.20.120.12) [282:root]SSL state:SSLv3 flush data (172.20.120.12) [282:root]SSL state:SSLv3 read finished A:system lib(172.20.120.12) [282:root]SSL state:SSLv3 read finished A (172.20.120.12) [282:root]SSL state:SSL negotiation finished successfully (172.20.120.12) [282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
4. End the debug process
To stop displaying debug messages, use the following command:
diagnose debug disable diagnose debug reset
The following is a list of potential issues. The suggestions below aren’t exhaustive and may not reflect your network topology.
There is no response from the SSL VPN URL
- Go to VPN > SSL-VPN Settings and check the SSL VPN port assignment. Also check the Restrict Access settings to ensure the host you are connecting from is allowed.
- Go to Policy > IPv4 Policy (or Policy > IPv6 policy) and make sure that the policy for SSL VPN traffic is configured correctly.
- Check the URL you are attempting to connect to. It should follow this pattern:
- Ensure that you are using the correct port number in the URL.
- Use a computer on the local network to connect to the VPN, rather than a remote connection.
- If you are using external authentication, create a local user and connect to the VPN using this local account.
FortiClient cannot connect
You can export FortiClient debug logs by doing the following:
- Go to File > Settings. Under the Logging section, enable Export logs.
- Set the Log Level to Debug and select Clear logs.
- Attempt to connect to the VPN.
- Select Export logs after you receive the connection error.
The SSL VPN login hangs or disconnects at 98%
A new SSL VPN driver was added to FortiClient 5.6.0 and later to resolve various SSL VPN connection issues. If your FortiOS version is compatible, upgrade to use one of these versions.
In addition, latency or poor network connectivity can cause the default login timeout limit to be reached on the FortiGate. In FortiOS 5.6.0 and later, the following commands allow a user to increase timers related to SSL VPN login.
config vpn ssl settings set login-timeout 180 (default is 30) set dtls-hello-timeout 60 (default is 10) end
Tunnel-mode connection shuts down after a few seconds
This issue can occur when there are multiple interfaces connected to the Internet (for example, SD-WAN). This can cause the session to become “dirty.” To fix this, you must allow multiple interfaces to connect without issue.
If you are using a FortiOS 6.0.1 or later, use the following CLI command:
config system interface edit <name> set preserve-session-route enable next end
If you are using a FortiOS 6.0.0 or earlier, use the following CLI command:
config vpn ssl settings set route-source-interface enable end
You receive the following error message: “Unable to logon to the server. Your user name or password may not be configured properly for this connection. (-12).”
- Make sure that your browser has cookies enabled.
- If you are using a remote authentication server, confirm that the FortiGate is able to communicate with it.
The tunnel connects but there is no communication
Make sure there is a static route to direct packets destined for the tunnel users to the SSL VPN interface by going to Monitor > Routing Monitor. Also, check the routing table on you computer to ensure the routes for the VPN are added (use the command
route print on Windows, or
netstat -nr on MacOS).
You can connect remotely to the VPN tunnel but are unable to access the network resources
Verify that your firewall policy for SSL VPN traffic is configured correctly by going to Policy & Objects > IPv4 Policy and making sure the source/destination addresses, user group, and destination interfaces are correct.
You can also use the command
diagnose debug flow to get more information about network traffic. To learn more about this command, see How to use debug flow to filter traffic.
Users are unable to download the SSL VPN plugin
Go to VPN > SSL-VPN Portals to make sure that the option to Limit Users to One SSL-VPN Connection at a Time is disabled. This allows users to connect to the resources on the portal page while also connecting to the VPN through FortiClient.
Users are being assigned to the wrong IP range
Go to VPN > SSL-VPN Portals and VPN > SSL-VPN Settings and make sure that the same IP Pool is used in VPN Portal and VPN Settings to avoid conflicts. If there is a conflict, the portal settings are used.
SSL VPN throughput is slow
Although many factors can contribute to slow throughput, one recommendation is to try is the FortiOS Datagram Transport Layer Security (DTLS) tunnel option, available in FortiOS 5.4 and above.
DTLS allows the SSL VPN to encrypt the traffic using TLS and uses UDP at the transport layer instead of TCP. This avoids retransmission problems that can occur with TCP-in-TCP.
To make sure that the DTLS tunnel is enabled on the FortiGate, use the following commands:
config vpn ssl settings set dtls-tunnel enable end
FortiClient 5.4.0 to 5.4.3 uses DTLS by default. FortiClient 5.4.4 and later uses normal TLS, regardless of the DTLS setting on the FortiGate. To use DTLS with FortiClient, go to File > Settings and enable Preferred DTLS Tunnel.