Troubleshooting Tip: SSL VPN Troubleshooting

jvaishnav · ‎05-09-2020

Description

This article describes how to troubleshoot various SSL VPN issues.

Scope

FortiOS v6.4, v7.0, v7.2, v7.4, up to v7.6.2.

Solution

SSL VPN debug commands:

Use the following diagnostic commands to identify SSL VPN issues. These commands enable debugging of SSL VPN with a debug level of -1 for detailed results.

diagnose debug disable

diagnose debug reset
diagnose vpn ssl debug-filter src-addr4 x.x.x.x <----- Replace x.x.x.x with the source public IP address of the FortiClient.
diagnose debug application sslvpn -1

diagnose debug console timestamp enable

diagnose debug enable

To display a list of options available under the filter, use '?' after 'filter'.

diagnose vpn ssl debug-filter ?

clear:     Erase the current filter.
list:      Display the current filter.
src-addr4: IPv4 source address range.
src-addr6: IPv6 source address range.
vd:        Name of virtual domain.
negate:    Negate the specified filter parameter.

To clear the filter, enter the following command:

diagnose vpn ssl debug-filter clear

Note:

x.x.x.x should be the public IP of the connecting user. The filter will ensure that the debug information relevant only to traffic from the specified IP address is captured, helping to focus on specific client troubleshooting.

The CLI displays debug output similar to the following:

[282:root]SSL state:before/accept initialization (172.20.120.12)
[282:root]SSL state:SSLv3 read client hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write server hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write change cipher spec A (172.20.120.12)
[282:root]SSL state:SSLv3 write finished B (172.20.120.12)
[282:root]SSL state:SSLv3 flush data (172.20.120.12)
[282:root]SSL state:SSLv3 read finished A:system lib(172.20.120.12)
[282:root]SSL state:SSLv3 read finished A (172.20.120.12)
[282:root]SSL state:SSL negotiation finished successfully (172.20.120.12)
[282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1

Use the commands below before running the SSVPN debug commands to reset any previously executed debug commands:-

diagnose debug reset

Use the following diagnostic commands to identify remote user authentication issues.

diagnose debug application fnbamd -1
diagnose debug enable

Use the following diagnostic commands to identify SAML user authentication issues.

diagnose debug application samld -1

diagnose debug enable

After capturing the required logs for troubleshooting, the debug can be disabled or reset to stop or reset the SSL VPN daemon debugging using the following commands:

diagnose debug disable
diagnose debug reset

Troubleshooting common issues.

To troubleshoot getting no response from the SSL VPN URL:

Starting from v7.4, SSL VPN GUI menu visibility is disabled by default. If SSL VPN web mode and tunnel mode were configured in a FortiOS firmware version before upgrading to FortiOS v7.4.1 and above, then the VPN -> SSL-VPN menus and SSL VPN web mode settings will remain visible in the GUI.

To enable the SSL VPN GUI menu, go to System -> Feature Visibility and toggle the SSL VPN radio button.

Go to VPN -> SSL-VPN Settings. Check the SSL VPN port assignment. Make sure the port number does not conflict with HTTPS or Virtual IPs.

Check the restricted access setting to ensure there is no restriction for hosts trying to connect.

Go to Policy & Objects -> Firewall Policy. Check that the policy for SSL VPN traffic is configured correctly.

From v7.6.x and above, the User/Group option has been moved to a separate dedicated field as shown below:

Screenshot 2025-01-18 131557.jpg

Check the URL to connect to. It follows this pattern: https://<FortiGate FQDN or IP>:<SSL VPN port>. Check that the correct port number is used in the URL. Ensure FortiGate is reachable from the computer.

Ping <FortiGate IP> to see if it is reachable (If PING is enabled on the FortiGate interface).
Check that the browser has enabled TLS 1.1, TLS 1.2, and TLS 1.3.
When using FQDN to connect, make sure it resolves to the IP address of the FortiGate correctly.
Check local-in-policy in the FortiGate CLI by running 'show firewall local-in-policy'.

To troubleshoot FortiGate connection issues:

Check the Release Notes to ensure that the FortiClient version is compatible with the version of FortiOS.
FortiClient uses the IE security settings. In IE Internet options -> Advanced -> Security, check that Use TLS 1.1 and Use TLS 1.2 are enabled.
Check that the SSL VPN 'ip-pools' have free IPs to sign out. The default SSL VPN client range SSLVPN_TUNNEL_ADDR1 has 10 IP addresses.
Export and check FortiClient debug logs. Go to File -> Settings. In the Logging section, enable Export logs. Set the Log Level to Debug and select Clear logs. Try to connect to the VPN. When a connection error is detected, select 'Export logs'.
If the SSL VPN is not established, it is also essential to verify if the connection packets are reaching the FortiGate by using a sniffer:

diagnose sniffer packet any 'port XXXXX and host y.y.y.y' 4 0 l

Where 'XXXXX' is the port used for the SSL VPN connection (10443, for instance) and 'y.y.y.y' is the public IP of the user trying to connect to the SSL VPN. If no packets appear in the FortiGate packet sniffer, this indicates a likely client network issue. Verify the port forwarding configuration in the modem and with the ISP.

To troubleshoot SSL VPN hanging or disconnecting at 48%:

Negotiation stops at this percentage if there is an issue with Authentication or two-factor authentication.
If negotiation stops at this percentage with the error 'Credential or SSL VPN configuration is wrong (-7200)', recheck the credentials.
To resolve the 'Credential or SSL VPN configuration is wrong (-7200)' error, follow the steps in this article: Troubleshooting Tip: When logging in with SSL VPN, the error 'Credential or SSL VPN configuration is...

To troubleshoot SSL VPN hanging or disconnecting at 98%:
A new SSL VPN driver was added to FortiClient v5.6.0 and later to resolve SSL VPN connection issues. If the FortiOS version is compatible, upgrade to use one of these versions. With long network latency, the FortiGate can timeout the client before it can finish negotiation processes, such as DNS lookup and time to enter a token. In v5.6.0 and later, use the following commands to allow a user to increase the SSL VPN login timeout setting.

config vpn ssl settings
set login-timeout 180 (default is 30)
set dtls-hello-timeout 60 (default is 10)
end

To troubleshoot tunnel mode connections shutting down after a few seconds:
This happens if there are multiple interfaces connected to the Internet, for example, SD-WAN. This can cause the session to become 'dirty'.

To allow multiple interfaces to connect, use the following CLI commands.

For v6.0.1 or later.

config system interface
edit <name>
set preserve-session-route enable
next
end

Note:

preserve-session-route enables the use of its preserve route on a particular ISP.

For example, when network changes are made, it keeps the routes on the same WAN interface for that session.

For v6.0.0 or earlier.

config vpn ssl settings
set route-source-interface enable
end

To troubleshoot users being assigned to the wrong IP range:
Go to VPN -> SSL-VPN Portals and VPN -> SSL-VPN Settings and ensure the same IP pool is used in both places. Using the same IP Pool prevents conflicts. If there is a conflict, the portal settings are used.

To troubleshoot SSL VPN traffic is getting denied with implicit deny:

Ensure that the user is a member of the correct group. Ensure the group is configured correctly on the intended SSL VPN firewall policy.

get vpn ssl monitor | grep <PC Public IP> <----- Change <PC Public IP> to the PC Public IP address.

show firewall policy | grep ssl.root -f
config firewall policy
edit 7
set name "SSLVPN"
set srcintf "ssl.root" <--
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "10.218.0.0_24"
set schedule "always"
set service "ALL"
set groups "Local_Group"
next
end

To troubleshoot whether a node with a lesser MTU is causing communication issues.

Set the df bit to yes/no and ping the destination IP address. Set df-bit to yes to prevent the ICMP packet from being fragmented, and no to allow the ICMP packet to be fragmented.

execute ping-options df-bit yes

execute ping <destination-ip>

Set the MTU with a lesser value and establish a ping to the destination.

execute ping-options data-size 1472

execute ping <destination-ip>

To troubleshoot slow SSL VPN throughput:
Many factors can contribute to slow throughput.
This recommendation aims to improve throughput by using the FortiOS Datagram Transport Layer Security (DTLS) tunnel option, available in FortiOS v5.4 and above.

DTLS allows SSL VPN to encrypt traffic using TLS and uses UDP as the transport layer instead of TCP. This avoids retransmission problems that can occur with TCP-in-TCP.
FortiClient v5.4.0 to v5.4.3 uses DTLS by default.
FortiClient v5.4.4 and later uses normal TLS, regardless of the DTLS setting on the FortiGate.

To enable DTLS in FortiClient:
Go to Settings and enable 'Preferred DTLS Tunnel'.

To enable the DTLS tunnel on FortiGate, use the following CLI commands:

config vpn ssl settings
set dtls-tunnel enable <----- Default setting in SSL VPN.
end

Excessive failed login attempts (brute force) can lead to high resource consumption and slow performance. To prevent it, do the following:

Allow SSL VPN connection from certain countries only: Technical Tip: Restricting SSL VPN connectivity from certain countries using firewall geography addr...
Disable web mode: Technical Tip: How to prevent the SSL VPN web login portal from displaying when SSL VPN web mode is ...
It is also possible to automatically block failed logins using an automation stitch. However, it may also block legitimate users if the wrong credentials are used. Refer to this article: Technical Tip: How to permanently block SSL VPN failed logins using an Automation Stitch

Additionally, to check the basic SSL VPN statistics, run the following command with the proper parameter:

diagnose vpn ssl [list/info/statistics/debug-filter/hw-acceleration-status]

list: for current connections.
info: for general information.
statistics: for memory usage, concurrent and maximum connections.
hw-acceleration-status: for the hardware acceleration status.

Note:

From v7.2.1 and later versions, SSL VPN Hardware acceleration has been removed.
Starting from v7.2.6+, v7.4.1+, and v7.6.0, the 'diagnose vpn ssl' command has additional options:

V7.2.6+:

[list/mux/mux-stat/statistics/tunnel-test/web-mode-test/saml-metadata/info/blocklist/debug-filter/client]

V7.4.1+:

[list/mux/mux-stat/statistics/tunnel-test/web-mode-test/saml-metadata/info/blocklist/dist-usr/peer-name/usr-chg/debug-filter/client]

For slow file transfer issues, refer to Troubleshooting Tip: Error 'SSL-VPN slow file transfer issue'.

SSL VPN support depends on firmware version:

In FortiOS v7.6.0 and above, SSL VPN is not supported on physical FortiGate devices with 2GB RAM or less, see the notice SSL VPN removed from 2GB RAM models for tunnel and web mode
To confirm if amount of memory present on a FortiGate, enter the command 'diagnose hardware sysinfo conserve' in the CLI. If the 'total RAM' is less than 2000 MB, the device has 2 GB RAM or less.

diagnose hardware sysinfo conserve
memory conserve mode: off
total RAM: 1917 MB
memory used: 1028 MB 53% of total RAM
memory freeable: 323 MB 16% of total RAM
memory used + freeable threshold extreme: 1821 MB 95% of total RAM
memory used threshold red: 1687 MB 88% of total RAM
memory used threshold green: 1572 MB 82% of total RAM
In FortiOS v7.6.3 and above, SSL VPN tunnel mode is not supported for any FortiGate model. In these firmware versions, SSL VPN web mode is renamed to 'Agentless VPN'.
If SSL VPN is in use for remote access, it is strongly recommended to migrate to IPsec VPN before upgrading to a firmware version that removes support for SSL VPN tunnel mode.