|
In supported firmware versions, FortiGate can be configured as an SSL VPN client to connect to an SSL VPN server running on another FortiGate. See FortiGate as SSL VPN Client - FortiGate 7.6.2 administration guide.
The TVC process is responsible for establishing a client connection over SSL VPN. FortiOS TVC diagnostics are not relevant for troubleshooting SSL VPN connections between FortiClient and FortiOS. TVC logs only for tunnel-mode SSL-VPN as it refers to the channel inside the SSL-VPN tunnel that carries the information.
-
It creates a virtual network interface on the client
-
Establishes a full IP tunnel
-
All or selected traffic is routed through the tunnel
When troubleshooting issues establishing or communicating over an SSL VPN tunnel between two FortiGate devices, the following diagnostics are useful:
Client FortiGate
diagnose debug application tvc -1 <----- Tunnel Virtual Connection process.
diagnose debug application sslvpn -1 <----- SSL-VPN process.
diagnose debug application fnbamd -1 <----- Authentication daemon.
diagnose debug enable
Server FortiGate
diagnose vpn ssl debug-filter src-addr4 <public IP Address of client FortiGate>
diagnose debug application sslvpn -1 <----- SSL-VPN process.
diagnose debug application fnbamd -1 <----- Authentication daemon.
diagnose debug enable
To stop the debug:
diagnose vpn ssl debug-filter clear
diagnose debug reset
diagnose debug disable
In v7.6.3 and later, SSL VPN tunnel mode is not available; see SSL VPN tunnel mode replaced with IPsec VPN.
In these firmware versions, FortiGate cannot act as an SSL VPN server for FortiClient and FortiGate SSL VPN clients. A FortiGate on these firmware versions cannot be configured as an SSL VPN client.
Related articles:
Troubleshooting Tip: SSL VPN Troubleshooting
Technical Tip: FortiGate debug SSL VPN daemon
|
