Consider the SSL VPN link monitoring below:

config system link-monitor

    edit "ssl_vpn_dynamic"

        set srcintf "ssl.root"

        set server-type dynamic

        set recoverytime 3

    next

end

config system interface

    edit "ssl.root"

        set vdom "root"

        set ip 10.212.134.211 255.255.255.255

        set type tunnel

        set alias "SSL VPN interface"

        set snmp-index 13

    next

end

First, check the state of SSL VPN monitor:

bentley-kvm41 (root) # diagnose sys link-monitor tunnel all

10.212.134.200 (ssl_vpn_dynamic): state=dead, peer=10.212.134.200, create_time=2025-09-14 02:11:58, srcintf=ssl.root, latency=0.000, jitter=0.000, pktloss=100.000%

The link monitor is dead, and the packet loss is 100%.

Second, perform a packet capture. It can help determine why the link monitor is dead, or why it has 100% packet loss.

bentley-kvm41 (root) # diagnose sniffer packet ssl.root 'icmp and host 10.212.134.200' 4 0 l

Using Original Sniffing Mode

interfaces=[ssl.root]

filters=[icmp and host 10.212.134.200]

2025-09-14 02:23:41.893242 ssl.root -- 10.212.134.211 -> 10.212.134.200: icmp: echo request

2025-09-14 02:23:42.394929 ssl.root -- 10.212.134.211 -> 10.212.134.200: icmp: echo request

10.212.134.200 is the IP address that the Windows host obtained from the SSL VPN pool.

It can be observed that FortiGate is sending ICMP echo requests to 10.212.134.200. However, it is not receiving any response back.

Thirdly, check whether the FortiGate packets are reaching Windows host. In addition, check whether it has been configured to allow PING from FortiGate. If not, create a rule allowing ICMP requests from the FortiGate IP address. To configure a rule on Windows, please follow the steps below:

1. Open Windows Defender Firewall with Advanced Security
2. Select Inbound Rules -> New Rule.
3. After, select Custom -> Custom Rule.
4. Select All programs.
5. In the Protocol type, select ICMPv4.
6. In the Local IP address that the rule applies to field, add the IP address that the host obtained from the SSL VPN pool. In the current example, it is 10.212.134.200.
7. In the Remote IP address that the rule applies to field, type in the IP address from FortiGate. In this example, it is 10.212.134.211.
8. In Action, select allow connection
9. On the Profile field, ensure that the domain, private and public boxes are ticked.
10. Then, name the rule, and then select Finish.

Fourth, check the state of SSL VPN monitor again:

bentley-kvm41 (root) # diagnose sys link-monitor tunnel all

10.212.134.200 (ssl_vpn_dynamic): state=alive, peer=10.212.134.200, create_time=2025-09-14 02:11:58, srcintf=ssl.root, latency=2.361, jitter=0.678, pktloss=0.000%

The state of the monitor has changed to 'alive' with 0% packet loss.

Note: 

The SSL-VPN tunnel has been disabled starting on v7.4 for specific models: Technical Tip: SSL VPN support on FortiGate models

This is a security measure taken by Fortinet, and it is replaced by IPsec VPN tunnels, which offer stronger cryptography and encryption options. This guide provides detailed information regarding the migration process: SSL VPN to IPsec VPN Migration