FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 198496



This article explains the 'unable to get VPN tunnel IP address (-30)' error and the solution while using Forticlient SSL VPN as the tool.



  1. Find the pictures below: two hosts and using FortiClient to establish the SSL VPN.


  1. From the above images, the first computer can connect to the FortiClient while the second computer gets an error 'unable to obtain an IP address for VPN tunnel (-30)'.

  2. Find the debug error below.
    2020-04-16 07:09:55 [319:root:41]sslvpn_reserve_dynip:1128 failed to get dynamic IP
    2020-04-16 07:09:55 [319:root:41]rmt_fortisslvpn_xml_cb_handler:2398 no more IP address available.
    2020-04-16 07:09:55 [319:root:41]req: /FortiClientSslvpnClearCacheUrl/for/Wini
    2020-04-16 07:09:55 [319:root:41]def: (nil) /FortiClientSslvpnClearCacheUrl/for/WininetLibrary/1/2/3/4/5/6/7/8/9/0/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t
    2020-04-16 07:10:15 [319:root:41]Timeout for connection 0x7f6c36488000.

  3. In order to get rid of this error, check the address range configured under SSL VPN settings.
  1. The above picture shows that there is only 1 IP for FortiClient users and this is why there is this error.

  2. Increasing the address range fixes this problem.