VPN disconnections can be identified and troubleshooted by analyzing relevant log entries. Common error messages and alerts indicate the potential root causes and corresponding corrective actions.

In this article, the VPN connection occurs in two distinct stages:

1. A pre-logon VPN tunnel is established using a client certificate before the user logs into the operating system.
2. Afterward, the client machine automatically connects to Secure Internet Access (SIA) VPN, where user credentials and, if applicable, two-factor authentication are required.

When the system starts, a Pre-Logon VPN is established to the on-prem FortiGate firewall through a client certificate. This allows access to the domain controller, policy synchronization, and group policy update. After user authentication, the VPN connection transitions automatically to Secure Internet Access (SIA), which operates under FortiSASE.

For troubleshooting pre-logon VPN issues, both FortiGate logs and FortiClient logs can be utilized. On the FortiGate, the following commands are used to capture SSL VPN debug logs:

diagnose vpn ssl debug-filter src-addr4 x.x.x.x (source public IP address)
diagnose debug application sslvpn -1
diagnose debug enable

If the pre-logon VPN connection is successful, the FortiGate logs typically include the entry: 'add auth logon for user SASE Pre-Logon'. Additionally, the connected users can be verified under 'Firewall User Monitor' on the FortiGate dashboard.

On the FortiClient side, the 'Remote Access' tab should be reviewed to confirm whether the transition from pre-logon VPN to Secure Internet Access (SIA) VPN occurred automatically. The transition is expected to happen without user intervention, but in some cases, the process may fail. When the automatic switch does not occur, the FortiGate SSL VPN debug logs, as well as FortiClient logs, should be examined for further troubleshooting. 

FortiClient logs can be collected both with and without generating diagnostic logs:

• To collect FortiClient logs with diagnostics: FortiClient -> Settings -> About -> Diagnostic Tool, then select 'Run'. After generating the diagnostic logs, they can be accessed through the following path: FCDiagData -> General -> Logs -> Trace.
• Additionally, FortiClient logs are saved in two other locations. To review live logs:

C:\Program Files\Fortinet\FortiClient\logs\trace

C:\Users [Logged-In User]\AppData\Roaming\FortiClient\logs\trace

Among all the log files in this folder, the following log files are most relevant for VPN troubleshooting:

• FortiESNAC (Windows) | epctrl (MAC).
• fortivpn.exe_sslvpnlib (Windows) | FortiTray (MAC).
• sslvpndaemon (Windows) | VPN-provider, FortiTray (MAC).
• FortiVPN (Windows) | FortiTray (MAC).

In the table below, a summary is provided of which logs to check for troubleshooting specific issues:

Note: All registry information is inside the diagnostic logs, which can be accessed through the following path:

Diagnostic Logs -> FCDiagData -> General:

• reg_cu (current user).
• reg_lm (local machine).

Note: When SAML authentication is configured, the SamlAuthwb log provides insight into SAML request and response handling. This file is particularly useful when errors such as 'cannot find …' appear during SAML authentication. This log indicates how the SAML request was sent and how the response was received. In fact, this is where the back-and-forth exchange between the SAML request and response with the IDP takes place.

Path: C:\users\logged-in user\appdata\roaming\forticlient\logs\trace.

Example Scenario:

During VPN disconnection troubleshooting, enable the SSL VPN debug log on the FortiGate before the system boots up. Once the Pre-Logon VPN connection is established, verify user presence in the User Monitor section on FortiGate. Then, confirm whether the switch from Pre-Logon VPN to Secure Internet Access (SIA) VPN occurred successfully on FortiClient.

In the following, the common keywords that could be used in different logs to perform troubleshooting are listed:

• power (FortiVPN).
• wakeup (FortiVPN).
• cert.cert_selected (FortiVPN).
• TunnelConnecting (FortiVPN).
• Deamon indicates the tunnel was down (sslvpnlib) – Indicates manual tunnel disconnection.
• DoConnect()==TRUE ********SSL VPN Tunnel is Connected ******** (sslvpnlib) – Used to find Prelogon timestamp.
• strConnection:FortiSASE_PreLogonTunnel (sslvpnlib) – If going back further, it will reach the point where FortiSASE got connected.
• (Time Zone: (sslvpnlib) – This is where this daemon has just started.
• FortiSASE_PreLogonTunnel (sslvpnlib).
• Obtain cert_selected (FortiVPN).
• In state: StartConnection (FortiVPN).
• TunnelConnecting (FortiVPN).
• there is a running vpn (FortiVPN).
• DoConnect()==TRUE ********SSL VPN Tunnel is Connected ******** (sslvpnlib).
• turbo (sslvpndaemon).
• SSL VPN Tunnel is Disconnected ********* (sslvpndaemon) – This is for when Prelogon VPN is disconnected.
• Resolve server “turbo-xxxxxxxx.edge.prod.fortisase.com(443) (sslvpndaemon).
• route change (sslvpndaemon).
• In state: UserLogin (FortiVPN) – This is the point where the user came from Prelogon and logged in.
• push impersonated (FortiVPN).
• Disconnect an existing connection first (FortiVPN).
• HandleTunnelDisconnectThenConnectRequest("FortiSASE_PreLogonTunnel" -> "Secure Internet Access") (FortiVPN) – After logging in, it shows that it wants to switch, and this log refers to the switch from Prelogon to SIA.
• In state: TunnelDisconnectRequest (FortiVPN).
• SSL VPN Tunnel is Disconnected ********* (sslvpndaemon).
• In state: TunnelDisconnected (FortiVPN).
• Secure Internet Access (FortiVPN).
• In state: TunnelConnectRequest (FortiVPN).
• In state (FortiVPN).
• Fortivpn::StateMachine (FortiVPN).

These keywords assist in identifying timestamps and correlating events with specific disconnection patterns or error conditions.

Summary of Key States for Successful Prelogon and SIA VPN Connections:

For Prelogon:

• (StartConnection).
• (TunnelConnecting).
• (TunnelConnected).
• Tunnel_AfterConnected.
• UserLogin.
• TunnelDisconnectThenConnectRequest.
• TunnelDisconnected.
• Autoconnect tunnel requested.

For SIA:

• (TunnelConnectRequest).
• Autoconnect tunnel requested.
• ZTNACompliance.
• (StartConnection).
• (TunnelConnecting).
• (TunnelConnected).

By locating the relevant logs and searching for the appropriate keywords within them, the troubleshooting process can be initiated effectively. Log entries before and after these keywords typically contain valuable data for identifying the root cause and determining corrective actions.