FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes that it is not possible to to receive VPN tunnel IP address (-30) despite IP pool is free.
Scope FortiGate, SSL-VPN.

Sometimes, it is difficutl to connect to SSLVPN and being thrown an error of 'Unable to receive VPN tunnel IP address (-30)'.


It is possible to check if there is any exhaustion of SSL-VPN IP pool by checking on the SSL-VPN user list with the following command:

# get vpn ssl monitor


get vpn ssl monitor.png




Enable the debug of SSLVPN and ask the user to connect to the SSL-VPN:


# diag deb app sslvpn -1
# diag deb en


It is possible to find that there is no user connected to SSL-VPN and the following error is shown in the debug log:

ssvpn_reserve_dynip:1103 failed to get dynamic IP




To resolve that, proceed to restart SSL-VPN service with the following command:

fnsysctl killall sslvpnd


The user should be able to connect to SSL-VPN and obtain an IP successfully.