Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
samandeep
Staff
Staff

Created on ‎10-30-2023 12:35 AM Edited on ‎09-16-2025 04:24 AM By Community Manager

Article Id 281737

Technical Tip: SSL VPN client processing stuck at 10-20% and fails it immediately

Description This article describes that SSL VPN client processing/loading is stuck at 10% and fails immediately.
Scope

FortiGate v6.x.x and v7.x.x.
Solution

There are 3 scenarios:

 

  1. SSL VPN is not configured/set up.
  • Make sure SSL VPN is enabled. Under VPN -> SSL VPN Settings -> connection settings.

 

samandeep_0-1698625244482.png

 

  • Make sure that source-address-negate is disabled in SSL VPN CLI settings.

 

samandeep_1-1698625244485.png

 

  1. VIP is configured on the WAN IP (No port-forwarding): in this scenario, VIP is configured on the WAN IP, and no port-forwarding is configured, which means all the traffic goes to the internal server IP, and there is no way that FortiClient or any SSL VPN client will connect to the FortiGate.

 

To check:

 

samandeep_2-1698625244488.png

 

  • Check policy & Object -> VIP/DNAT & Virtual IPs. See all the VIPs and look for WAN IP address-related entries.
  • Let's consider this(172.168.1.1) as the WAN/public IP address of FortiGate, and also on the same address, an SSL VPN connection will be established.
  • Internal server IP where all the traffic is passing, and no port forwarding is configured.

 

To avoid this issue:

It is possible to specify the port number if the VIP is also required for the organization. Make sure that the port is different than the SSL VPN port.

Otherwise, remove the VIP entry or use the secondary WAN IP if there is one. 

 

Use the below debugs to see incoming SSL VPN connections.

 

diagnose debug application sslvpn -1
diagnose debug application fnbamd -1
diagnose debug enable

 

To stop the debug:

 

diagnose debug disable

 

  1. The firewall policy is not configured for any SSL VPN interface as a source interface, regardless of the split or full SSL VPN tunnel portal.

 

policy.PNG

 

For further troubleshooting:

 

 For any SSL VPN connections, run the below debug flow for more information about incoming SSL VPN traffic:

 

diagnose debug disable

diagnose debug flow trace stop

diagnose debug flow filter clear

diagnose debug reset

diagnose debug flow filter addr <client’s public address>

diagnose debug flow filter port <SSLVPN port>

diagnose debug flow show function-name enable

diagnose debug flow show iprope enable

diagnose debug console timestamp enable

diagnose debug flow trace start <number of packets to capture>

diagnose debug enable

 

To stop the debug:

 

diagnose debug disable

   

Related document:

Using the debug flow tool

 

2952
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.