Troubleshooting Tip: How to troubleshoot SSL VPN link packet loss issue

Consider the SSL VPN link monitoring below:

config system link-monitor

    edit "ssl_vpn_dynamic"

        set srcintf "ssl.root"

        set server-type dynamic

        set recoverytime 3

    next

end

config system interface

    edit "ssl.root"

        set vdom "root"

        set ip 10.212.134.211 255.255.255.255

        set type tunnel

        set alias "SSL VPN interface"

        set snmp-index 13

    next

end

First, check the state of SSL VPN monitor:

bentley-kvm41 (root) # diagnose sys link-monitor tunnel all

10.212.134.200 (ssl_vpn_dynamic): state=dead, peer=10.212.134.200, create_time=2025-09-14 02:11:58, srcintf=ssl.root, latency=0.000, jitter=0.000, pktloss=100.000%

The link monitor is dead, and the packet loss is 100%.

Second, perform a packet capture. It can help determine why the link monitor is dead, or why it has 100% packet loss.

bentley-kvm41 (root) # diagnose sniffer packet ssl.root 'icmp and host 10.212.134.200' 4 0 l

Using Original Sniffing Mode

interfaces=[ssl.root]

filters=[icmp and host 10.212.134.200]

2025-09-14 02:23:41.893242 ssl.root -- 10.212.134.211 -> 10.212.134.200: icmp: echo request

2025-09-14 02:23:42.394929 ssl.root -- 10.212.134.211 -> 10.212.134.200: icmp: echo request

10.212.134.200 is the IP address that the Windows host obtained from the SSL VPN pool.

It can be observed that FortiGate is sending ICMP echo requests to 10.212.134.200. However, it is not receiving any response back.

Thirdly, check whether the FortiGate packets are reaching Windows host. In addition, check whether it has been configured to allow PING from FortiGate. If not, create a rule allowing ICMP requests from the FortiGate IP address. To configure a rule on Windows, please follow the steps below:

1. Open Windows Defender Firewall with Advanced Security
2. Select Inbound Rules -> New Rule.
3. After, select Custom -> Custom Rule.
4. Select All programs.
5. In the Protocol type, select ICMPv4.
6. In the Local IP address that the rule applies to field, add the IP address that the host obtained from the SSL VPN pool. In the current example, it is 10.212.134.200.
7. In the Remote IP address that the rule applies to field, type in the IP address from FortiGate. In this example, it is 10.212.134.211.
8. In Action, select Allow Connection.
9. On the Profile field, ensure that the domain, private, and public boxes are ticked.
10. Then, name the rule, and then select Finish.

Fourth, check the state of the SSL VPN monitor again:

bentley-kvm41 (root) # diagnose sys link-monitor tunnel all

10.212.134.200 (ssl_vpn_dynamic): state=alive, peer=10.212.134.200, create_time=2025-09-14 02:11:58, srcintf=ssl.root, latency=2.361, jitter=0.678, pktloss=0.000%

The state of the monitor has changed to 'alive' with 0% packet loss.

A very important point to keep in mind is that SSL VPN tunnels are much more susceptible to network latency than IPSec tunnels. One way to improve this issue is by enabling the DTLS option in FortiClient VPN or FortiClient EMS.

More information: Technical Tip: Why SSL VPN tunnels are more sensitive to latency when compared to IPsec VPN

Notes: 

The SSL VPN tunnel has been disabled starting on v7.4 for specific models: Technical Tip: SSL VPN support on FortiGate models

The SSL VPN feature will no longer be available starting from v7.6.3: SSL VPN tunnel mode no longer supported