FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Pavan_Chintha
Article Id 371800
Description This article describes a scenario where Central SNAT is enabled in the FortiGate and users are unable to connect to the SSL VPN and getting disconnected at 10% with 'Unable to establish the VPN connection. The VPN server may be unreachable' error.
Scope FortiGate with Central SNAT enabled.
Solution
  1. Check if the packets are being received at the FortiGate by running the packet sniffer in the CLI:

 

diagnose sniffer packet any "host x.x.x.x and port y" 4 0 a

Replace x.x.x.x with the public IP of the user trying to connect, and y with the SSL VPN listening port.

There should be packets received at the FortiGate.

  1. Also collect the SSL debug logs in the other CLI session:

 

diagnose debug application sslvpn -1
diagnose debug enable

If no logs are seen under the SSL debug logs, proceed to step 3.

  1. Verify if the SSL VPN process is present and running in the FortiGate by running the following command in the CLI:

 

diag sys process pidof sslvpnd

If no sslvpnd process is up and running on the FortiGate, proceed to step 4.

  1. When the Central SNAT is enabled in the FortiGate. There must be at least one Central SNAT rule created from the ssl.root to any destination interface by referencing the SSL VPN Pool and SSL VPN users in the source.
  2. Verify the SSL VPN port is open on the listening interface. It can be checked by navigating to Policy & Objects -> Local In Policy, filtering the interface with the SSL VPN listening interface, and checking if the port is open.

 

local in.png


Then, the sslvpnd process will come up and the users will be able to connect to the SSL VPN.