Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
carabhavi
Staff
Staff

Created on ‎09-10-2019 02:42 AM Edited on ‎12-29-2025 12:05 PM By Community Manager

Article Id 190372

Technical Tip: Host check errors while connecting SSL-VPN

Description

 

This article describes how to find the host check errors and fix them via CLI only steps.

 

Scope

 

FortiGate.

Solution


There are multiple errors/messages while connecting to VPN, and sometimes there are the ones below:

  1. 'Unable to log on to the server.'
  2. 'Your username or password may not be configured properly for this connection.'
  3. 'Host check failed.'
  4. 'Hostcheck timeout.'

 

The error can also be checked under Log&Report -> System Events -> VPN Events, and can be filtered based on the Remote IP or User.

 

The following log will demonstrate:

 

date=xxxx-xx-xx time=xx:xx:xx eventtime=1765881058965458941 tz="+0530" logid="0101039948" type="event" subtype="vpn" level="information" vd="root" logdesc="SSL VPN tunnel down" action="tunnel-down" tunneltype="ssl-tunnel" tunnelid=955889003 remip=172.16.x.x tunnelip=10.x.1.x srccountry="Reserved" user="10006" group="VPN Group" dst_host="N/A" fctuid="2A2EC57EA35D5BE3xxxxxxxxxxxx " reason="hostcheck timeout" duration=901 sentbyte=10611825 rcvdbyte=5200050 msg="SSL tunnel shutdown"


In some cases, the correct user credentials will be used, but the alert to check on user details is still shown.

Run the following debug commands to find the exact issue:

 

diagnose debug disable

diagnose debug reset

diagnose debug application sslvpn -1

diagnose debug enable

 

Refer to the following debug output:

 

[8542:root:16]Auth successful for user chetan                                         <----- Authentication was successful
[8542:root:16]fam_do_cb:548 fnbamd return auth success.
[8542:root:16]SSL VPN login matched rule (1).
[8542:root:16]rmt_web_session_create:709 create web session, idx[0]
[8542:root:16]login_succeeded:452 redirect to hostcheck                       <----- Notice the host check process was initiated.

 

Verify the existing configuration using by commands below:

 

config vpn ssl web portal
edit full-access                                                   <----- Select respective portals.
show full | grep host-check

 

Output example:

 

show full | grep host-check
    set host-check av
    set host-check-interval 0

 

The above output shows that host check is enabled for AV.
Install AV to fix this issue, or disable host check with the commands below (CLI only).

 

config vpn ssl web portal
    edit full-access                                                                                       <----- Select respective portals.

        set host-check none
end

 

The host security check error message can be replaced using either the web-based manager or the CLI. 


To replace the host check error message in the web-based manager:

  1. Navigate to System -> Replacement Messages and select Extended View in the upper right corner.
  2. Scroll down to SSL VPN and select Hostcheck Error Message.
  3. Edit the text in the right-hand column below and select Save.

To replace the host check error message in the CLI:

config system replacemsg sslvpn hostcheck-error

16631
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.