Technical Tip:How to confirm if SSL VPN user is connected using DTLS

jlim11 · ‎03-11-2024

Description

This article describes how to confirm if SSL VPN connections are using DTLS. After a user connects to SSLVPN, it will be listed under 'get vpn ssl monitor'.

sslvpn monitor.JPG

And under 'diag firewall auth list'.

auth list.JPG
But these commands will not show any information about TCP or UDP connection from the SSL VPN user.

Scope

FortiGate.

Solution

To confirm if a user is using DTLS for an SSL VPN connection, it is possible to check it from the session table.
It is possible to use the public IP of the user and the SSL VPN port on the FortiGate when checking the session table:

diagnose sys session filter src <public.ip of user>
diagnose sys session filter dport <sslvpn.port>
diagnose sys session list

session list.JPG
From the example above, it is possible to confirm that it is connected using UDPproto=17, which means it is connected using DTLS.
From the FortiGate, logs under System Event -> VPN Events, and it will show if the tunnel used DTLS.

dtls system logs.JPG
If the user is connected using a normal SSL VPN connection which is TCP, the Example below will have the output Session table:
proto=6, which means TCP.

connected using tcp.JPG

Go under System Events -> VPN Events:

tcp system logs.JPG

Related articles:
Using DTLS to improve SSL VPN performance
Technical Tip: Using DTLS to improve SSL VPN performance
Troubleshooting Tip: FortiGate session table information