Created on
05-21-2025
04:22 AM
Edited on
07-07-2025
05:54 AM
By
Jean-Philippe_P
Description | This article describes the solution for the 'source ip check failed' error in SSL VPN debug logs. |
Scope | FortiGate. |
Solution |
When reviewing SSL VPN debug logs, the following error was observed:
'get_shm_session:1368 source ip check failed'
This issue occurs when the IP address from which the client initiates the connection does not match the IP address listed in the host field of the deconstructed session ID. For example:
Problematic log entry:
deconstruct_session_id:494 decode session id ok, user=[Test_J_DB], group=[Test_SSL_GROUP],authserver=[VPN_LDAP], portal[Test_C2S_VPN],host[106.51.239.226],realm=[],csrf_token=[7FC2779ED24ED3D6029E59C62493015], idx=350, auth=16, sid=3fdef62d,login=1747204866,access=1747204866,saml_logout_url=no,pip=no,grp_info=[hgaCRj], rmt_grp_info=[rW1KBh]
Expected log entry(correct behavior):
deconstruct_session_id:494 decode session id ok, user=[Test_J_DB], group=[Test_SSL_GROUP],authserver=[VPN_LDAP], portal=[Test_C2S_VPN],host[14.98.30.86],realm=[],csrf_token=[7FC2779ED24ED3D6023E59C65493015], idx=350,auth=16, sid=3fdef62d,login=1747204866,access=1747204866,saml_logout_url=no,pip=no,grp_info=[hfaCRj],rmt_grp_info=[iznjt6]
This mismatch triggers the 'source IP check failed' error, which prevents successful authentication and terminates VPN connectivity within a few seconds after successful connection. This may occur in environments where NAT or proxy services or load balancing alter the client's apparent public source IP during session establishment.
To resolve this issue and allow authentication even if the session token presents a different source IP, disable the source IP check for SSL VPN connection by running the following command in the FortiGate CLI:
config vpn ssl settings
After making this change, SSL VPN should authenticate successfully even if the client IP appears differently in the session token.
Note:
Related article: Technical Tip: How to fix randomly failing SSL VPN with FortiToken push, 'magic checked failed' |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.