Technical Tip: SSL VPN is unable to connect due to '553 redirect to hostcheck'

User groups are assigned in the SSL VPN portal and policy. However, in some cases,  per user is assigned instead of the user group and defined in the policy, but the user cannot connect to the SSL VPN.

Symptom:

When connecting, FortiClient will not show any error and will return to the login prompt.

Setup:

FortiGate with SSL VPN portals using tunnel mode with Enabled Based on Policy Destination and Web mode only.

When running the SSL VPN debug, the output behavior is visible as below:

948:root:2c]Auth successful for user ami
[948:root:2c]fam_do_cb:682 fnbamd return auth success.
[948:root:2c]SSL VPN login matched rule (0).
[948:root:2c]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[948:root:0]get tunnel link address4
[948:root:2c]rmt_web_session_create:1029 create web session, idx[0]
[948:root:2c]login_succeeded:553 redirect to hostcheck

However, when checking the SSL VPN setting, the host-check configuration is not enabled in any portal because the All Other Users/Groups portal is using only web mode enabled as below:

SSLVPN setting with group LDAP and All Other Users/Groups

Web portal setting

Portal1 setting

The policy only includes the user as a source, so it should be portal 'WEB', but the portal only enabled web mode. When the user connects from FortiClient to SSL VPN, FortiClient does not prompt any error and goes back to the login prompt.

Solution:

Ensure that the All Users/Groups portal must enable tunnel mode if the user is connecting via FortiClient.