Troubleshooting Tip: MAC address host check fails on SSL VPN for one or multiple users

In scenarios where a client device has a large number of active network adapters, multiple MAC addresses will be present. During the SSL VPN host check, FortiGate receives up to 10 MAC addresses from the client for validation. If the MAC address configured in the host check policy is not included within these 10 MAC addresses, the validation will not complete successfully.

In one of the issues, a user machine had 18 active network adapters, with the configured MAC address (for host check) listed at the bottom of the client machine's network adapter list. As a result, the expected MAC address was not evaluated during the host check.

To align the host check process with the configured MAC address, the number of active network adapters was reduced to ensure the relevant MAC address appeared within the first 10 sent to FortiGate. After limiting the number of adapters to five, SSL VPN connectivity was established successfully.

Recommended Configuration Steps:

On the client device, run the following command to display all MAC addresses:

ipconfig /all | findstr Physical

Confirm whether the configured MAC addresses for the host check appear within the first 10 MAC addresses returned by the command.

If not, disable unused hardware or virtual network adapters to reduce the number of active MAC addresses or modify the host check configuration on FortiGate to include more MAC addresses belonging to the client machine.

This ensures that at least one evaluated MAC address aligns with the host check policy, supporting successful SSL VPN authentication.