FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ManishKhatri
Staff
Staff
Article Id 392884
Description This article describes the solution for the 'source ip check failed' error in SSL VPN debug logs.
Scope FortiGate.
Solution

When reviewing SSL VPN debug logs, the following error was observed:

 

'get_shm_session:1368 source ip check failed'

 

This issue occurs when the IP address from which the client initiates the connection does not match the IP address listed in the host field of the deconstructed session ID. For example:

  • Client Source IP: 14.98.30.86.
  • Observed IP in the log: 106.51.239.226.

 

Problematic log entry:

 

deconstruct_session_id:494 decode session id ok, user=[Test_J_DB], group=[Test_SSL_GROUP],authserver=[VPN_LDAP], portal[Test_C2S_VPN],host[106.51.239.226],realm=[],csrf_token=[7FC2779ED24ED3D6029E59C62493015], idx=350, auth=16, sid=3fdef62d,login=1747204866,access=1747204866,saml_logout_url=no,pip=no,grp_info=[hgaCRj], rmt_grp_info=[rW1KBh]

 

Expected log entry(correct behavior):

 

deconstruct_session_id:494 decode session id ok, user=[Test_J_DB], group=[Test_SSL_GROUP],authserver=[VPN_LDAP],

portal=[Test_C2S_VPN],host[14.98.30.86],realm=[],csrf_token=[7FC2779ED24ED3D6023E59C65493015], idx=350,auth=16, sid=3fdef62d,login=1747204866,access=1747204866,saml_logout_url=no,pip=no,grp_info=[hfaCRj],rmt_grp_info=[iznjt6]

 

This mismatch triggers the 'source IP check failed' error, which prevents successful authentication and terminates VPN connectivity within a few seconds after successful connection. This may occur in environments where NAT or proxy services or load balancing alter the client's apparent public source IP during session establishment.

 

To resolve this issue and allow authentication even if the session token presents a different source IP, disable the source IP check for SSL VPN connection by running the following command in the FortiGate CLI:

 

config vpn ssl settings
    set auth-session-check-source-ip disable
end

 

After making this change, SSL VPN should authenticate successfully even if the client IP appears differently in the session token.

 

Note:

  • Disabling this setting can have security implications, especially in environments with shared or public networks. Ensure this change aligns with the organization's security policies.
  • Starting from v7.6.3, the SSL VPN tunnel mode will no longer be supported, and SSL VPN web mode will be called 'Agentless VPN'.

 

Related article:

Technical Tip: How to fix randomly failing SSL VPN with FortiToken push, 'magic checked failed'