| Even after changing the listening interface from the GUI's SSL VPN settings, the previous interface that was listening for SSL VPN connections may still be bound to authentication-rules (for instance, the listening interface was changed from WAN1 to WAN2). In the following configuration, it still shows WAN1 in authentication-rule settings.
SSL VPN settings:
config vpn ssl settings
set banned-cipher SHA1 SHA256 SHA384
set servercert ''
set tunnel-ip-pools "HUB_local_subnet_1" "Test_Dial"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set port 11443
set source-interface "WAN2"
set source-address "all"
set source-address6 "all"
set default-portal "tunnel-access"
config authentication-rule
edit 1
set source-interface "WAN1"
set source-address "HUB_local_subnet_1"
set users "test1"
set portal "tunnel-access"
next
edit 2
set source-interface "WAN2"
set source-address "HUB_local_subnet_1"
set users "test1"
set portal "tunnel-access"
next
end
end
A potential problem may exist in the authentication rules within the SSL VPN settings. These settings are only configurable via the CLI. Execute the following commands to verify any issues: Error: If FortiGate responds, when the TCP 3-way handshake does not complete or the client resets the connection after TCP 3-way handshake completes, the connection will terminate and FortiClient will display it stopped at 10%.
FortiGate-A (1) # config vpn ssl settings
FortiGate-A (1) # config authentication-rule FortiGate-A (1) # edit 1 FortiGate-A (1) # get
id : 1
source-interface : "WAN1" <----- Still showing previous interface.
source-address : "HUB_local_subnet_1"
source-address-negate: disable
source-address6 :
source-address6-negate: disable
users : "test1"
groups :
portal : tunnel-access
realm :
client-cert : disable
cipher : high
auth : any
If this value is empty/unset, it will use the source interface setting from the generic SSL VPN setting. If this value is set, it needs to be set to the correct interface and present on the generic SSL VPN settings.
Note: If there are multiple authentication rules configured (for example, rule 1 is configured to listen on WAN1 and rule 2 is configured to listen on WAN2), users will be able to connect. The connection will only fail if all or only 1 authentication rule is configured with incorrect interface. For example, the following two rules are configured: FortiGate-A (1) # config vpn ssl settings
FortiGate-A (1) # config authentication-rule FortiGate-A (authentication-rule) # get 1
id : 1
source-interface : "WAN1" <----- Rule 1 with an incorrect listening interface.
source-address : "HUB_local_subnet_1"
source-address-negate: disable
source-address6 :
source-address6-negate: disable
users : "test1"
groups :
portal : tunnel-access
realm :
client-cert : disable
cipher : high
auth : any
FortiGate-A (authentication-rule) # get 2
id : 2
source-interface : "WAN2" <----- Rule 2 with a correct listening interface.
source-address : "HUB_local_subnet_1"
source-address-negate: disable
source-address6 :
source-address6-negate: disable
users : "test1"
groups :
portal : tunnel-access
realm :
client-cert : disable
cipher : high
auth : any
To change this, execute the following commands:
Fortigate-A (root) # config vpn ssl settings
Fortigate-A (settings) # config authentication-rule
Fortigate-A (authentication-rule) # edit 1
Fortigate-A (1) # set source-interface <SSLVPN-LISTENING-INTERFACE>
Fortigate-A (1) # next
Fortigate-A (authentication-rule) # end
Fortigate-A (settings) # end
Fortigate-A (root) #
As this value is not shown in the GUI, it is recommended is to unset the value and set the source interfaces in the generic SSL VPN settings.
Related articles: Troubleshooting Tip: Useful commands for troubleshooting SSL VPN Troubleshooting Tip: Possible reasons for FortiClient SSL VPN connectivity failure at specific percentages | 
