Skip to main content
hbac
Staff
hbac
Staff
February 12, 2025

Technical Tip: SSL VPN daemon consumes high CPU due to brute force attacks

  • February 12, 2025
  • 0 replies
  • 1918 views
Description

This article describes an issue where sslvpnd causes high CPU usage and VPN events show a lot of 'SSL user failed to log in' messages with random usernames. 

 

Example of 'di sys top' outputs and VPN Events:

 

51U, 0N, 1S, 47I, 0WA, 0HI, 1SI, 0ST; 3962T, 1106F
         sslvpnd      194      R      98.6    10.0   1
         miglogd      337      R      2.2     1.4    0
       ipsengine      348      S <    1.8     4.4    0
       ipsengine      349      R <    0.9     4.4    0

 

SSLVPN failed.PNG
Scope FortiGate.
Solution

A huge number of failed login attempts causes high CPU consumption because FortiGate has to validate the user's credentials.

 

To reduce the number of login attempts: 

  1. Disable Web Mode by following this KB article: Technical Tip: How to disable SSL VPN Web Mode or Tunnel Mode in SSL VPN portal
  2. Restrict SSL VPN to only specific countries by following this KB article: Technical Tip: Restricting/Allowing access to the FortiGate SSL VPN from specific countries or IP addresses with local-in-policy
  3. Block failed logins using Automation Stitch by following this KB article: Technical Tip: How to permanently block SSL VPN failed logins using an Automation Stitch
  4. Follow SSL VPN security best practices: SSL VPN security best practices

 

If the issue persists, consider migrating to Dialup IPsec VPN: FortiOS SSL VPN to dial-up VPN migration
Terms & ConditionsAccessibility statement