Technical Tip: SSL VPN daemon consumes high CPU due to brute force attacks

hbac · ‎02-11-2025

Description

This article describes an issue where sslvpnd causes high CPU usage and VPN events show a lot of 'SSL user failed to log in' messages with random usernames.

Example of 'di sys top' outputs and VPN Events:

51U, 0N, 1S, 47I, 0WA, 0HI, 1SI, 0ST; 3962T, 1106F
sslvpnd 194 R 98.6 10.0 1
miglogd 337 R 2.2 1.4 0
ipsengine 348 S < 1.8 4.4 0
ipsengine 349 R < 0.9 4.4 0

SSLVPN failed.PNG

Scope

FortiGate.

Solution

A huge number of failed login attempts causes high CPU consumption because FortiGate has to validate the user's credentials.

To reduce the number of login attempts:

Disable Web Mode by following this KB article: Technical Tip: How to disable SSL VPN Web Mode or Tunnel Mode in SSL VPN portal
Restrict SSL VPN to only specific countries by following this KB article: Technical Tip: Restricting/Allowing access to the FortiGate SSL VPN from specific countries or IP ad...
Block failed logins using Automation Stitch by following this KB article: Technical Tip: How to permanently block SSL VPN failed logins using an Automation Stitch
Follow SSL VPN security best practices: SSL VPN security best practices

If the issue persists, consider migrating to Dialup IPsec VPN: FortiOS SSL VPN to dial-up VPN migration

Technical Tip: SSL VPN daemon consumes high CPU due to brute force attacks

You are leaving our website