Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jstan
Staff
Staff

Created on ‎12-27-2021 05:24 AM Edited on ‎05-08-2025 05:54 AM By Moderator

Article Id 201818

Technical Tip: SSL-VPN login fail with tunnel type=ssl-web when using FortiClient

Description

This article describes why the log message shows that the SSL-VPN login failed with tunnel type=ssl-web when the user logs in from FortiClient.
Scope FortiGate.
Solution

Sometimes, it is possible to notice that whenever a FortiClient user fails to login, the log is showing that the user is trying to log in to ssl-web instead of ssl-tunnel.

 

date=2021-03-26 time=18:27:41 eventtime=1616754461306886988 tz="+0800" logid="0101039426" type="event" subtype="vpn" level="alert" vd="root" logdesc="SSL VPN login fail" action="ssl-login-fail" tunneltype="ssl-web" tunnelid=0 remip=192.168.244.156 user="test" group="N/A" dst_host="N/A" reason="sslvpn_login_permission_denied" msg="SSL user failed to logged in"

  • This is because when the tunnel mode/FortiClient is initiated, the traffic first hits the URL over HTTPS, therefore, until the login is successful the firewall tracks it as ssl-web mode.
  • Upon successful tunnel establishment, a separate log being generated will be visible and the tunnel type will be ssl-tunnel:

 

date=2021-03-26 time=18:36:08 eventtime=1616754969229860842 tz="+0800" logid="0101039947" type="event" subtype="vpn" level="information" vd="root" logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-tunnel" tunnelid=856124655 remip=192.168.244.156 tunnelip=10.212.134.200 user="test" group="split-tunnel" dst_host="N/A" reason="tunnel established" msg="SSL tunnel established"

 

Example:

  1. The logs under Log & Report ->Events -> VPN Events will show that the attack is happening through SSL-web. 

 

sslvpn1.JPG

 

  1. The SSL VPN portal already has web mode disabled under VPN -> SSL-VPN Portals.

 

sslvpn2.JPG

 

  1. It is showing 'ssl-web' in the log.
  2. To understand this, the user will generate the same log from FortiClient only which means tunnel mode. Try to log in to FortiClient through the public IP and the same port under the SSL VPN setting.
  3. Let's take the login username as 'rakesh' and any random password. so, when trying to use SSL VPN public Ip and port with username: 'rakesh' and random password on FortiClient, it will generate the same logs as below.

 

sslvpn3.JPG

 

  1. This proves that these logs are generated from tunnel mode not through web mode.


Note:
Starting from FortiOS v7.6.3, the SSL VPN tunnel mode will no longer be supported, and SSL VPN web mode will be called 'Agentless VPN'.

Related articles:

Technical Tip: Getting alert logs frequently on FortiGate for 'SSL failed users' from the unknown pu...

Troubleshooting Tip: Possible reasons for FortiClient SSL VPN connectivity failure at specific perce...
17028
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.