Technical Tip: 'Unable to establish the VPN connection. The VPN server may be unreachable' error while trying to connect to the SSL VPN

1. Check if the packets are being received at the FortiGate by running the packet sniffer in the CLI:

diagnose sniffer packet any "host x.x.x.x and port y" 4 0 a

Replace x.x.x.x with the public IP of the user trying to connect, and y with the SSL VPN listening port.

There should be packets received at the FortiGate.

2. Also, collect the SSL debug logs in the other CLI session:

diagnose debug application sslvpn -1
diagnose debug enable

If no logs are seen under the SSL debug logs, proceed to step 3.

3. Verify if the SSL VPN process is present and running in the FortiGate by running the following command in the CLI:

diagnose sys process pidof sslvpnd

If no sslvpnd process is up and running on the FortiGate, proceed to step 4.

4. When the Central SNAT is enabled in the FortiGate. There must be at least one Central SNAT rule created from the ssl.root to any destination interface by referencing the SSL VPN Pool and SSL VPN users in the source.
5. Verify the SSL VPN port is open on the listening interface. It can be checked by navigating to Policy & Objects -> Local In Policy, filtering the interface with the SSL VPN listening interface, and checking if the port is open.

6. If the issue persists, review the SSL VPN configuration to verify whether any restrictions or connection limits are applied to allowed source hosts.

    

    

7. Check the local-in policy to ensure the user’s source IP address is not explicitly denied or excluded.

    

    

8. Verify that no Virtual IP (VIP) configuration matches the SSL VPN listening interface and port, as this may intercept inbound connection attempts and prevent them from being processed by the SSL VPN service.

    

Then, the sslvpnd process will come up, and the users will be able to connect to the SSL VPN.