SSL VPN troubleshooting

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin

This page contains tips to help you with common challenges for SSL VPN. Tips are organized in two sections: diagnose commands and common issues.

Diagnose commands

Use the following diagnose commands to identify SSL VPN issues:

1. Display debug messages

To display debug messages for SSL VPN, use the following command:

diagnose debug application sslvpn -1

This command enables debugging of SSL VPN with a debug level of -1. The -1 debug level produces detailed results.

2. Verify the debug configuration

To verify the debug configuration, use the following command:

diagnose debug info
debug output: disable
console timestamp: disable
console no user log message: disable
sslvpn debug level: -1 (0xffffffff)
CLI debug level: 3

This output verifies that SSL VPN debugging is enabled with a debug level of -1, and shows which filters are in place. The output above indicates that debug output is disabled, so debug messages are not displayed. The output also indicates that debugging isn’t enabled for any software systems.

3. Display debug messages

To enable displaying debug messages, use the following command:

diagnose debug enable

To view the debug messages, log into the SSL VPN portal. The CLI displays debug output similar to the following:

FGT60C3G10002814 # [282:root]SSL state:before/accept initialization (172.20.120.12)
[282:root]SSL state:SSLv3 read client hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write server hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write change cipher spec A (172.20.120.12)
[282:root]SSL state:SSLv3 write finished B (172.20.120.12)
[282:root]SSL state:SSLv3 flush data (172.20.120.12)
[282:root]SSL state:SSLv3 read finished A:system lib(172.20.120.12)
[282:root]SSL state:SSLv3 read finished A (172.20.120.12)
[282:root]SSL state:SSL negotiation finished successfully (172.20.120.12)
[282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1

4. End the debug process

To stop displaying debug messages, use the following command:

diagnose debug disable
diagnose debug reset

Common issues

The following is a list of potential issues. The suggestions below aren’t exhaustive and may not reflect your network topology.

There is no response from the SSL VPN URL

  • Go to VPN > SSL-VPN Settings and check the SSL VPN port assignment. Also check the Restrict Access settings to ensure the host you are connecting from is allowed.
  • Go to Policy > IPv4 Policy (or Policy > IPv6 policy) and make sure that the policy for SSL VPN traffic is configured correctly.
  • Check the URL you are attempting to connect to. It should follow this pattern:
https://<FortiGate IP>:<Port>/remote/login
  • Ensure that you are using the correct port number in the URL.
  • Use a computer on the local network to connect to the VPN, rather than a remote connection.
  • If you are using external authentication, create a local user and connect to the VPN using this local account.

FortiClient cannot connect

Read the Release Notes to ensure that the version of FortiClient you are using is compatible with your version of FortiOS.

You can export FortiClient debug logs by doing the following:

  1. Go to File > Settings. Under the Logging section, enable Export logs.
  2. Set the Log Level to Debug and select Clear logs.
  3. Attempt to connect to the VPN.
  4. Select Export logs after you receive the connection error.

The SSL VPN login hangs or disconnects at 98%

A new SSL VPN driver was added to FortiClient 5.6.0 and later to resolve various SSL VPN connection issues. If your FortiOS version is compatible, upgrade to use one of these versions.

In addition, latency or poor network connectivity can cause the default login timeout limit to be reached on the FortiGate. In FortiOS 5.6.0 and later, the following commands allow a user to increase timers related to SSL VPN login.

config vpn ssl settings
  set login-timeout 180 (default is 30)
  set dtls-hello-timeout 60 (default is 10)
end

Tunnel-mode connection shuts down after a few seconds

This issue can occur when there are multiple interfaces connected to the Internet (for example, SD-WAN). This can cause the session to become “dirty.” To fix this, you must allow multiple interfaces to connect without issue.

If you are using a FortiOS 6.0.1 or later, use the following CLI command:

config system interface
  edit <name>
    set preserve-session-route enable
  next
end

If you are using a FortiOS 6.0.0 or earlier, use the following CLI command:

config vpn ssl settings
   set route-source-interface enable
end

You receive the following error message: “Unable to logon to the server. Your user name or password may not be configured properly for this connection. (-12).

  • Make sure that your browser has cookies enabled.
  • If you are using a remote authentication server, confirm that the FortiGate is able to communicate with it.

The tunnel connects but there is no communication

Make sure there is a static route to direct packets destined for the tunnel users to the SSL VPN interface by going to Monitor > Routing Monitor. Also, check the routing table on you computer to ensure the routes for the VPN are added (use the command route print on Windows, or netstat -nr on MacOS).


You can connect remotely to the VPN tunnel but are unable to access the network resources

Verify that your firewall policy for SSL VPN traffic is configured correctly by going to Policy & Objects > IPv4 Policy and making sure the source/destination addresses, user group, and destination interfaces are correct.

You can also use the command diagnose debug flow to get more information about network traffic. To learn more about this command, see How to use debug flow to filter traffic.


Users are unable to download the SSL VPN plugin

Go to VPN > SSL-VPN Portals to make sure that the option to Limit Users to One SSL-VPN Connection at a Time is disabled. This allows users to connect to the resources on the portal page while also connecting to the VPN through FortiClient.


Users are being assigned to the wrong IP range

Go to VPN > SSL-VPN Portals and VPN > SSL-VPN Settings and make sure that the same IP Pool is used in VPN Portal and VPN Settings to avoid conflicts. If there is a conflict, the portal settings are used.


SSL VPN throughput is slow

Although many factors can contribute to slow throughput, one recommendation is to try is the FortiOS Datagram Transport Layer Security (DTLS) tunnel option, available in FortiOS 5.4 and above.

DTLS allows the SSL VPN to encrypt the traffic using TLS and uses UDP at the transport layer instead of TCP. This avoids retransmission problems that can occur with TCP-in-TCP.

To make sure that the DTLS tunnel is enabled on the FortiGate, use the following commands:

config vpn ssl settings
  set dtls-tunnel enable
end

FortiClient 5.4.0 to 5.4.3 uses DTLS by default. FortiClient 5.4.4 and later uses normal TLS, regardless of the DTLS setting on the FortiGate. To use DTLS with FortiClient, go to File > Settings and enable Preferred DTLS Tunnel.

Victoria Martin

Victoria Martin

Technical Writer at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin