Technical Tip: Debugging SSL VPN Using TVC on FortiGate
| Description | This article describes the role of TVC (Tunnel Virtual Connection) in SSL VPN debugging on FortiGate. |
| Scope | FortiGate v7.0.0 and later, up to v7.6.2. |
| Solution | In supported firmware versions, FortiGate can be configured as an SSL VPN client to connect to an SSL VPN server running on another FortiGate. See FortiGate as SSL VPN Client - FortiGate 7.6.2 administration guide.
The TVC process is responsible for establishing a client connection over SSL VPN. FortiOS TVC diagnostics are not relevant for troubleshooting SSL VPN connections between FortiClient and FortiOS. TVC logs only for tunnel-mode SSL-VPN as it refers to the channel inside the SSL-VPN tunnel that carries the information.
When troubleshooting issues establishing or communicating over an SSL VPN tunnel between two FortiGate devices, the following diagnostics are useful:
diagnose debug application tvc -1 <----- Tunnel Virtual Connection process. diagnose debug application sslvpn -1 <----- SSL-VPN process. diagnose debug application fnbamd -1 <----- Authentication daemon.
Server FortiGate
diagnose vpn ssl debug-filter src-addr4 <public IP Address of client FortiGate> diagnose debug application sslvpn -1 <----- SSL-VPN process. diagnose debug application fnbamd -1 <----- Authentication daemon.
To stop the debug: diagnose vpn ssl debug-filter clear diagnose debug reset diagnose debug disable
In v7.6.3 and later, SSL VPN tunnel mode is not available; see SSL VPN tunnel mode replaced with IPsec VPN. In these firmware versions, FortiGate cannot act as an SSL VPN server for FortiClient and FortiGate SSL VPN clients. A FortiGate on these firmware versions cannot be configured as an SSL VPN client.
Related articles: |