| Description | This article describes an issue where the sslvpnd process can cause high CPU usage due to a missing .key file while trying to open the configured certificate. |
| Scope | FortiGate. |
| Solution |
Analyzing high CPU usage see: Technical Tip: Debugs for troubleshooting high CPU Issues
If it has been determined that the high CPU usage is being caused by the sslvpnd process, run the SSL VPN debug to help determine what the process is doing.
diagnose debug application sslvpn -1 diagnose debug enable
If the following logs are seen, they indicate that the process cannot open the .key file used for the configured certificate in SSL VPN settings.
[23502:root:0]set cert: root_certificate.cer key: root_certificate.key [23502:root:0]common_create_ssl_srv_ctx:1710 cipher list: HIGH:!RC4:!MD5:!aNULL:!eNULL:@STRENGTH:!SHA1:!SHA256:!SHA384 [23502:root:0]common_create_ssl_srv_ctx:1734 ciphersuite list: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 [23497:root:0]Reading root_certificate.key for server [0]:4443 [23497:root:0]Can't open key file /etc/cert/local/ root_certificate.key [7732:root:0]sslvpn_parent_child_handler:2633 child fd error! close fd [17].
In this log example, the sslvpnd process is trying to open a certificate named ‘root_certificate.cer’ and the private key file ‘root_certificate.key’. However, the .key file cannot be opened.
To verify if the .key file is missing use the command:
fnsysctl ls /etc/cert/local/
This issue is usually caused by the configuration being copied from another FortiGate. To correct the CPU issue, change the certificate used for SSL VPN to any other certificate, Fortinet_Factory, for example.
In the GUI, the SSL VPN certificate is configured under VPN -> SSL VPN Settings -> Server Certificate and select a certificate.
Delete the certificate with the missing file. In the GUI, the certificates are found under System -> Certificates, select the certificate and delete it.
From the CLI the certificate can be deleted with the following commands:
config vpn certificate local delete <certificate name> end
The proper certificate can now be uploaded and SSL VPN can be configured to use the certificate. For more information on uploading a certificate see: Technical Tip: FortiGate HTTPS/SSL Certificate Installation (PFX, PKCS12 and PEM) |
Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Spring Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Troubleshooting Tip: High CPU Usage Caused by sslv...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.