Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hbac
Staff
Staff

Created on ‎10-06-2024 09:22 PM Edited on ‎09-11-2025 02:06 AM By Moderator

Article Id 346837

Technical Tip: SSL VPN connections to the FortiGate failing because the sslvpnd process has not started

Description

This article describes a known behavior where SSL VPN users are unable to connect successfully because the sslvpnd process has not started. The following symptoms can be observed in this scenario:

  • When testing with SSL VPN web-mode (i.e., connecting via web browser), the connection receives an ERR_CONNECTION_RESET message, and the login page will fail to load.
  • When testing with SSL VPN tunnel-mode (i.e., connecting via FortiClient), the connection will fail at the 10% mark with an error message stating 'Unable to establish the VPN connection. The VPN server may be unreachable.'

 unreachable.png

 

  • Additionally, no output will be observed when gathering sslvpnd debugs on the FortiGate, and the debug flow output will show the connection being dropped with the message 'policy-4294967295 is matched, act-drop':

drop.PNG

 
Scope

FortiGate.
Solution

This issue occurs if there are no active Firewall Policies on the FortiGate that have the 'SSL-VPN tunnel interface (ssl.root)' set in the Incoming Interface field (i.e., if no relevant Firewall Policies exist or if they are all administratively disabled).

 

Without an active Firewall Policy, the sslvpnd daemon will not be active and will not listen for/accept any incoming connections. Additionally, the SSL VPN debugs (diagnose debug application sslvpn -1) will not show any output.

 

Below is the output of the diagnose sys top command. Note that 'sslvpnd' is not in the running processes list. 

 

sslvpnd.PNG

 

Likewise, the output of diagnose sys tcpsock | grep <SSL-VPN Port> will show that sslvpnd is not listening on the configured port:

 

FortiGate # diagnose sys tcpsock | grep 443
0.0.0.0:443->0.0.0.0:0->state=listen err=0 socktype=2 rma=0 wma=0 fma=0 tma=0 inode=28368 process=293/wad
10.255.1.1:443->0.0.0.0:0->state=listen err=0 socktype=1 rma=0 wma=0 fma=0 tma=0 inode=31637 process=239/fltund

 

Resolving the Issue:

 

To resolve the issue, create at least one active firewall policy under Policy & Objects -> Firewall Policy to allow traffic from the SSL VPN tunnel interface (ssl.root) to another interface. Below is an example of a firewall policy allowing traffic from the SSL VPN tunnel interface to the LAN network behind port 5. 

 

SSLVPNpolicy.PNG

 

After creating the firewall policy, the sslvpnd daemon will be started, and users will be able to connect to the VPN

 

running.PNG

 

FortiGate # diagnose sys tcpsock | grep 443
0.0.0.0:443->0.0.0.0:0->state=listen err=0 socktype=3 rma=0 wma=0 fma=0 tma=0 inode=2641407 process=3148/sslvpnd
0.0.0.0:443->0.0.0.0:0->state=listen err=0 socktype=2 rma=0 wma=0 fma=0 tma=0 inode=28368 process=293/wad
10.255.1.1:443->0.0.0.0:0->state=listen err=0 socktype=1 rma=0 wma=0 fma=0 tma=0 inode=31637 process=239/fltund

 

connectedd.PNG

 

Note:

Starting v7.6.3, the SSL VPN tunnel mode will no longer be supported, and SSL VPN web mode will be called 'Agentless VPN' as explained in Upcoming changes on SSL VPN modes starting from v7.6.3.

 

Related article: 

Troubleshooting Tip: SSL VPN Troubleshooting
2025
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.