Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
samandeep
Staff
Staff

Created on ‎10-30-2023 12:35 AM Edited on ‎10-30-2023 12:36 AM By Community Manager

Article Id 281737

Technical Tip: SSL VPN client processing stuck at 10-20% and fails it immediately

Description This article describes that SSL VPN client processing/loading is stuck at 10% and fails immediately.
Scope

FortiGate v6.x.x and v7.x.x.
Solution

There are 2 scenarios:

 

  1. SSL VPN is not configured/set up.
  • Make sure SSL VPN is enabled. Under VPN -> SSL VPN Settings -> connection settings.

 

samandeep_0-1698625244482.png

 

  • Make sure that source-address-negate is disabled in SSL VPN CLI settings.

 

samandeep_1-1698625244485.png

 

  1. VIP is configured on the WAN IP (No port-forwarding): in this scenario, VIP is configured on the WAN IP and No port-forwarding is configured means all the traffic goes to the internal server IP and there is no way as FortiClient or any SSL VPN client will connect to the FortiGate.

 

In order to check:

 

samandeep_2-1698625244488.png

 

  • Check policy & Object > VIP / DNAT & Virtual IPs. See all the VIPs and look for WAN IP address-related entries.
  • Let us consider this(172.168.1.1) is the WAN/public IP address of FortiGate and also on the same address SSL VPN connection will be established.
  • Internal server IP where all the traffic is passing and no port forwarding is configured.

 

To Avoid this issue:

It is possible to specify the port number if the VIP is also required for the organization. Make sure that the port is different than the SSL VPN port.

Otherwise, remove the VIP entry or use the secondary WAN IP if there is any. 

 

Use the below debugs to see incoming SSL VPN connections.

 

diag debug application sslvpn -1
diag debug application fnbamd -1
diag debug enable

 

To stop the debug:

 

diag debug disable

 

and if there are any SSL VPN connections, run the below debug flow for more information about incoming SSL VPN traffic:

 

diagnose debug disable

diagnose debug flow trace stop

diagnose debug flow filter clear

diagnose debug reset

diagnose debug flow filter addr <client’s public address>

diag deb flow filter port <SSLVPN port>

diagnose debug flow show function-name enable

diagnose debug flow show iprope enable

diagnose debug console timestamp enable

diagnose debug flow trace start 99

diagnose debug enable

 

It will be possible to see where the traffic is dropped and the reason.

 

Related document:

 Using the debug flow tool | FortiGate / FortiOS 7.4.1 | Fortinet Document Library

 

676
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.