For the SSL VPN to be fully operational within a VRF-based topology, it is necessary to configure all the interfaces involved to be on the same VRF ID.

In most common topologies there are three interfaces involved:

1. The interface which the SSL VPN is bound to.
2. SSL VPN interface itself.
3. The egress interface.

For example, in the below topology, SSL-VPN is bound to port1 and the egress interface for remote users to reach local resources is port3. The configuration should look like:

1. SSL-VPN:

config vpn ssl settings

    set source-interface "port1"  
    set port 443
end

2. Firewall policy:

config firewall policy
    edit 1
        set name "SSL-VPN"
        set srcintf "ssl.root"
        set dstintf "port3" 
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end

3. System interfaces:

config system interface
    edit "port1" 
    set vdom "root"

    set vrf 10
next
    edit "port3"
        set vdom "root"
        set vrf 10
    next
        edit "ssl.root"
            set vdom "root"
             set vrf 10
            set type tunnel
        next

end

Note:

It is not possible to create multiple ssl.root interfaces in a single VDOM. An ssl.root interface can only be tied to a single VRF.

Hence Multi VRF is not possible in SSL VPN. The best option is to use multivdom setup in case multi-VRF support is required.