Troubleshooting Tip: No output from SSL VPN debug

calink · ‎08-04-2024

Description

This article describes why there may be blank output when running SSL VPN debug commands. This assumes that traffic is confirmed to be hitting the FortiGate's WAN interface where the SSL VPN is hosted, using a sniffer.

Scope

FortiGate.

Solution

The SSL VPN debug commands provided by TAC will generate output when attempting to connect to the SSL VPN.

Basic SSL VPN debugs will be:

diagnose debug disable

diagnose debug reset

diagnose debug application sslvpn -1

diagnose debug enable

To disable debugs:

diagnose debug disable

If there is no output, there must be a filter in place. To view the current active filter, use the following command:

diagnose vpn ssl debug-filter

To clear the filter, run the following command:

diagnose vpn ssl debug-filter clear

Keep in mind that the VPN SSL filter will remain active among different sessions (CLI, ssh, serial), and it's not cleared when the command 'diagnose debug reset' is executed, like other debug filters, just after the FortiGate is rebooted/restarted.

After the filter is cleared, attempt to connect to the SSL VPN again.

If there is still no output, capture a debug flow to make sure the packets are not being dropped:

diagnose debug res

diagnose debug flow filter addr x.x.x.x <----- This should be the public IP of the user who is trying to connect.

diagnose debug flow filter port yyy <----- Port of the SSL VPN.

diagnose debug flow trace start 1000
diagnose debug en

To stop the debug:

diagnose debug res

diagnose debug di

Troubleshooting Tip: No output from SSL VPN debug

You are leaving our website