FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
Article Id 190543


This article describes a solution for an issue where SSL VPN connection attempts halt at 40% progress, displaying the warning message 'VPN connection cannot be established. The VPN server might be unreachable. (-5).'




SSL VPN with FortiClient.



This error can occur due to the following reasons:


  1. An encryption mismatch between FortiClient (Windows) Workstation and FortiGate SSL VPN Settings. 


On the FortiClient (Windows) workstation search bar, go to Internet Explorer > Options > Advanced


Change the TLS settings to match the settings on the FortiGate:




For example, if TLS 1.1 and TLS 1.2 are enabled on the FortiGate, enable them in Internet Explorer as well.


  1. Due to a system issue that occurs when handling the SSL Daemon.


To confirm there is a system space issue, use the get system performance status command. This will display the kernel's own CPU usage: the processes related to running the operating system.


get system performance status

CPU states: 0% user 12% system 0% nice 100% idle 0% iowait 0% irq 0% softirq

CPU0 states: 14% user 86% system 0% nice 0% idle 0% iowait 0% irq 0% softirq

CPU1 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq 


For more information, see Technical Tip: Debugs for troubleshooting high CPU issues.


To view the state of the system processes and CPU cores used by the SSL VPN Daemon, run the following:


diagnose sys top | grep sslvpnd

sslvpnd      354      R      99.8     0.3    0 


The SSL service within the system process has a CPU utilization of approximately 99% and is handled by Core 0. This causes the SSL Daemon to malfunction, resulting in FortiClient getting stuck at 40%, and unable to establish the VPN connection.


To view all running system processes, run the following command:


diagnose sys top 

Run Time:  13 days, 15 hours and 19 minutes

6U, 0N, 6S, 88I, 0WA, 0HI, 0SI, 0ST; 7979T, 2656F

         sslvpnd      354      R      99.8     0.3    0

          httpsd    18032      S       0.5     0.3    6

       ipsengine      459      S <     0.1     1.4    6

            node      251      S       0.1     0.9    5

       forticron      259      S       0.1     0.3    6

          flcfgd      311      S       0.1     0.2    7

       ipshelper      269      S <     0.0     3.3    4

       ipsengine      453      S <     0.0     1.5    0

       ipsengine      457      S <     0.0     1.5    4

       ipsengine      454      S <     0.0     1.4    1

       ipsengine      455      S <     0.0     1.4    2

       ipsengine      456      S <     0.0     1.4    3

       ipsengine      458      S <     0.0     1.4    5

         cmdbsvr      215      S       0.0     0.8    5

         appDemo      177      S <     0.0     0.8    4


If the SSL Daemon is malfunctioning, the debug command may not be able to display logs.


diag debug reset

diag debug application sslvpn -1

diag debug enable


To resolve this issue, restart the SSL running processes or re-enable the status of the SSL VPN interface and settings.


To kill or restart all of the sslvpnd processes, run the following command:


fnsysctl killall sslvpnd 


To re-enable the SSL status:


config system interface

    edit "ssl.root"

        set vdom "root"

        set status down/enable

        set type tunnel

        set alias "SSL VPN interface"

        set snmp-index 16




config vpn ssl settings

    set status down/enable




Once the SSL Daemon has restarted and returned to normal function, users will be able to successfully establish VPN connections.


diagnose sys top | grep sslvpnd

sslvpnd    18258      S       0.4     0.2    2


If this article does not resolve issues with establishing an SSL VPN connection and the progress bar still halts prematurely, see Troubleshooting Tip: Possible reasons for FortiClient SSL VPN connectivity failure at specific perce....