Skip to main content
asharopov
Staff
asharopov
Staff
July 31, 2019

Troubleshooting Tip: SSL VPN connections are not possible

  • July 31, 2019
  • 0 replies
  • 12126 views

Description

 

This article describes how to check why SSL VPN connections are not possible.
This, when triggered, leaves the following traces in the crashlog:

 

diagnose debug crashlog read

 

Output example: 

 

2010-11-02 20:09:22 SSL VPN enter conserve mode.

 

The typical behavior: No SSL VPN Web portal connections are accepted. Users get the '503 Service Temporarily Unavailable' error.

 

Scope

 

FortiGate.

Solution

 

SSL VPN in FortiOS has its own Conserve Mode, which is triggered before the regular system conserve mode. This is caused by MEM tension on the system. FortiGate units perform all security profile processing in physical RAM. Since each model has a limited amount of
memory, Kernel conserve mode is activated when the remaining free memory is nearly exhausted or the AV proxy has reached the maximum number of sessions it can service.

 

The FortiGate enters the SSL VPN conserve mode before the Kernel conserve mode in an attempt to prevent the Kernel conserve mode from triggering. During the SSL VPN conserve mode, no new SSL connections are allowed. It starts when free memory is <25% of the total memory (when the memory on the FortiGate is less than 512Mb) or <10% of the total memory (when the FortiGate has more than
512Mb built in).


Troubleshooting steps:

 

  1. Check the general MEM consumption. If it is in the higher end, follow these steps:

 

Run the following command: 

 

diagnose system top-summary

 

As of version 7.2.x and above, the following command can be used:

 

diagnose system top-mem

 

If the Firewall is in VDOM mode, make sure to change to the VDOM.

  1. Check if SSLVPN conserve mode has occurred in the system:

 

diagnose vpn ssl statistics
SSLVPN statistics (root):
------------------
Memory unit:               1
System total memory:       2111090688
System free memory:        1140170752
SSLVPN memory margin:      314572800
SSLVPN state:              conserve

Max number of users:       1
Max number of tunnels:     0
Max number of connections: 6

Current number of users:       0
Current number of tunnels:     0
Current number of connections: 0

Solution: Adjust metrics like (UTM profiles, Traffic shaping, Logging or any process that is using large amounts of memory etc.) to reduce the MEM and Memory consumption of the FortiGate firewall. 

 

Related documents:

Terms & ConditionsAccessibility statement