Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alwis
Staff
Staff

Created on ‎08-26-2024 06:23 AM

Article Id 336435

Technical Tip: Unable to connect SSL VPN due to unable to set ciphers

Description This article describes the issue when SSL VPN configuration is set to ban all cipher.
Scope FortiGate.
Solution
  1. Run the SSL VPN debug using the following command:

 

diag debug reset
diag debug app sslvpn -1
diag debug enable

 

  1. The following outputs are observed on the debug:

     

    [7284:root:0][20758:root:0]common_create_ssl_srv_ctx:1664 cipher list: HIGH:!RC4:!MD5:!aNULL:!eNULL:@STRENGTH:!RSA:!DHE:!ECDHE:!DSS:!ECDSA:!AES:!AES128-SHA256:!AES256-SHA256:!AES
    128-CCM:!AES256-CCM:!AES128-CCM8:!AES256-CCM8:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!CAMELLIA128-SHA256:!CAMELLIA256-SHA256:!ARIA128-GCM-SHA256:!ARIA256-GCM-SHA384:!AESGCM:!CAMEL
    LIA:!3DES:!SHA1:!SHA256:!SHA384:!CHACHA20:!ARIA:!AESCCM
    [7284:root:0]unable to set ciphers

     

     

Because all ciphers have been banned, this makes the sslvpnd process impossible to be up.

 

Solution:

Unset the ciphers or only ban the specific ciphers.
210
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.