Description

This article describes the SSL VPN issue where no certificate pop-up appears and is stuck at 40% and eventually connection goes down.

Scope

FortiClient, FortiGate, SSL VPN.

Solution

Normally when the SSL VPN connection percentage reaches 40%, it is expected a certificate pop-up. 

However, in some scenarios, the certificate pop-up does not come and the VPN connection will be dropped eventually. 

This could happen if configuring a well-known port as the SSL VPN port configuration.

Solution:

When these well-known ports are not used in the network, it is possible to remove them. If that well-known port is used in the network, then change the SSL VPN communication port in the SSL VPN settings of FortiGate firewall first and then change the port in FortiClient as well. 

After making the above changes if still facing issues in connecting VPN 

Please run the below commands

Putty1:  

diagnose debug application fnbamd 255
diagnose debug application sslvpn -1
diagnose debug console timestamp enable
diagnose debug enable

Putty2: 

dia sniffer packet any "host <x.x.x.x>" 4 100 a<----- Public Ip address of end user.