FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 281737
Description This article describes that SSL VPN client processing/loading is stuck at 10% and fails immediately.

FortiGate v6.x.x and v7.x.x.


There are 2 scenarios:


  1. SSL VPN is not configured/set up.
  • Make sure SSL VPN is enabled. Under VPN -> SSL VPN Settings -> connection settings.




  • Make sure that source-address-negate is disabled in SSL VPN CLI settings.




  1. VIP is configured on the WAN IP (No port-forwarding): in this scenario, VIP is configured on the WAN IP and No port-forwarding is configured means all the traffic goes to the internal server IP and there is no way as FortiClient or any SSL VPN client will connect to the FortiGate.


In order to check:




  • Check policy & Object > VIP / DNAT & Virtual IPs. See all the VIPs and look for WAN IP address-related entries.
  • Let us consider this( is the WAN/public IP address of FortiGate and also on the same address SSL VPN connection will be established.
  • Internal server IP where all the traffic is passing and no port forwarding is configured.


To Avoid this issue:

It is possible to specify the port number if the VIP is also required for the organization. Make sure that the port is different than the SSL VPN port.

Otherwise, remove the VIP entry or use the secondary WAN IP if there is any. 


Use the below debugs to see incoming SSL VPN connections.


diag debug application sslvpn -1
diag debug application fnbamd -1
diag debug enable


To stop the debug:


diag debug disable


and if there are any SSL VPN connections, run the below debug flow for more information about incoming SSL VPN traffic:


diagnose debug disable

diagnose debug flow trace stop

diagnose debug flow filter clear

diagnose debug reset

diagnose debug flow filter addr <client’s public address>

diag deb flow filter port <SSLVPN port>

diagnose debug flow show function-name enable

diagnose debug flow show iprope enable

diagnose debug console timestamp enable

diagnose debug flow trace start 99

diagnose debug enable


It will be possible to see where the traffic is dropped and the reason.


Related document:

 Using the debug flow tool | FortiGate / FortiOS 7.4.1 | Fortinet Document Library