- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNDR
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiScan
- FortiSandbox
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- Customer Service
- Community Groups
- Article Ideas
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Troubleshooting Tip: SSL VPN Troubleshooting
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
This article describes how to troubleshoot SSL VPN issue.
Solution
SSL VPN debug command.
Use the following diagnose commands to identify SSL VPN issues.
These commands enable debugging of SSL VPN with a debug level of -1 for detailed results.
Use the following diagnose commands to identify remote user authentication issues.
To troubleshoot getting no response from the SSL VPN URL:
- Go to VPN -> SSL-VPN Settings.
- Check the SSL VPN port assignment.
- Check the restrict access setting to ensure the host connected from is allowed.
- Go to Policy -> IPv4 Policy or Policy -> IPv6 policy.
- Check that the policy for SSL VPN traffic is configured correctly.
- Check the URL to connect to. It follows this pattern: https://<FortiGate IP>:<Port>
- Check the correct port number in the URL is used. Ensure FortiGate is reachable from the computer.
- ping <FortiGate IP>
-Check the browser has TLS 1.1, TLS 1.2, and TLS 1.3 enabled.
To troubleshoot FortiGate connection issues.
- Check the Release Notes to ensure that the FortiClient version is compatible with the version of FortiOS.
FortiClient uses IE security setting, In IE Internet options -> Advanced -> Security, check that Use TLS 1.1 and Use TLS 1.2 are enabled.
- Check that SSL VPN 'ip-pools' has free IPs to sign out.
The default 'ip-pools' SSLVPN_TUNNEL_ADDR1 has 10 IP addresses.
Export and check FortiClient debug logs.
Go to File -> Settings.
In the Logging section, enable Export logs.
Set the Log Level to Debug and select Clear logs.
Try to connect to the VPN.
When connection error is get, select 'Export logs'.
To troubleshoot SSL VPN hanging or disconnecting at 98%.
A new SSL VPN driver was added to FortiClient 5.6.0 and later to resolve SSL VPN connection issues.
If the FortiOS version is compatible, upgrade to use one of these versions.
Latency or poor network connectivity can cause the login timeout on the FortiGate.
In FortiOS 5.6.0 and later, use the following commands to allow a user to increase the SSL VPN login timeout setting.
This is happening if there are multiple interfaces connected to the Internet, for example, SD-WAN.
This can cause the session to become 'dirty'.
To allow multiple interfaces to connect, use the following CLI commands.
For version 6.0.1 or later.
Go to VPN -> SSL-VPN Portals and VPN -> SSL-VPN Settings and ensure the same IP pool is used in both places.
Using the same IP Pool prevents conflicts. If there is a conflict, the portal settings are used.
To troubleshoot slow SSL VPN throughput.
Many factors can contribute to slow throughput.
This recommendation tries to improve throughput by using the FortiOS Datagram Transport Layer Security (DTLS) tunnel option, available in FortiOS 5.4 and above.
DTLS allows SSL VPN to encrypt traffic using TLS and uses UDP as the transport layer instead of TCP. This avoids retransmission problems that can occur with TCP-in-TCP.
FortiClient 5.4.0 to 5.4.3 uses DTLS by default.
FortiClient 5.4.4 and later uses normal TLS, regardless of the DTLS setting on the FortiGate.
To use DTLS with FortiClient.
Go to File -> Settings and enable 'Preferred DTLS Tunnel'
.
To enable DTLS tunnel on FortiGate, use the following CLI commands.
This article describes how to troubleshoot SSL VPN issue.
Solution
SSL VPN debug command.
Use the following diagnose commands to identify SSL VPN issues.
These commands enable debugging of SSL VPN with a debug level of -1 for detailed results.
# diagnose debug application sslvpn -1The CLI displays debug output similar to the following:
# diagnose debug enable
[282:root]SSL state:before/accept initialization (172.20.120.12)To disable the debug.
[282:root]SSL state:SSLv3 read client hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write server hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write change cipher spec A (172.20.120.12)
[282:root]SSL state:SSLv3 write finished B (172.20.120.12)
[282:root]SSL state:SSLv3 flush data (172.20.120.12)
[282:root]SSL state:SSLv3 read finished A:system lib(172.20.120.12)
[282:root]SSL state:SSLv3 read finished A (172.20.120.12)
[282:root]SSL state:SSL negotiation finished successfully (172.20.120.12)
[282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
# diagnose debug disableRemote user authentication debug command.
# diagnose debug reset
Use the following diagnose commands to identify remote user authentication issues.
# diagnose debug application fnbamd -1Troubleshooting common issues.
# diagnose debug reset
To troubleshoot getting no response from the SSL VPN URL:
- Go to VPN -> SSL-VPN Settings.
- Check the SSL VPN port assignment.
- Check the restrict access setting to ensure the host connected from is allowed.
- Go to Policy -> IPv4 Policy or Policy -> IPv6 policy.
- Check that the policy for SSL VPN traffic is configured correctly.
- Check the URL to connect to. It follows this pattern: https://<FortiGate IP>:<Port>
- Check the correct port number in the URL is used. Ensure FortiGate is reachable from the computer.
- ping <FortiGate IP>
-Check the browser has TLS 1.1, TLS 1.2, and TLS 1.3 enabled.
To troubleshoot FortiGate connection issues.
- Check the Release Notes to ensure that the FortiClient version is compatible with the version of FortiOS.
FortiClient uses IE security setting, In IE Internet options -> Advanced -> Security, check that Use TLS 1.1 and Use TLS 1.2 are enabled.
- Check that SSL VPN 'ip-pools' has free IPs to sign out.
The default 'ip-pools' SSLVPN_TUNNEL_ADDR1 has 10 IP addresses.
Export and check FortiClient debug logs.
Go to File -> Settings.
In the Logging section, enable Export logs.
Set the Log Level to Debug and select Clear logs.
Try to connect to the VPN.
When connection error is get, select 'Export logs'.
To troubleshoot SSL VPN hanging or disconnecting at 98%.
A new SSL VPN driver was added to FortiClient 5.6.0 and later to resolve SSL VPN connection issues.
If the FortiOS version is compatible, upgrade to use one of these versions.
Latency or poor network connectivity can cause the login timeout on the FortiGate.
In FortiOS 5.6.0 and later, use the following commands to allow a user to increase the SSL VPN login timeout setting.
# config vpn ssl settingsTo troubleshoot tunnel mode connections shutting down after a few seconds.
set login-timeout 180 (default is 30)
set dtls-hello-timeout 60 (default is 10)
end
This is happening if there are multiple interfaces connected to the Internet, for example, SD-WAN.
This can cause the session to become 'dirty'.
To allow multiple interfaces to connect, use the following CLI commands.
For version 6.0.1 or later.
# config system interfaceFor version 6.0.0 or earlier.
edit <name>
set preserve-session-route enable
next
end
# config vpn ssl settingsTo troubleshoot users being assigned to the wrong IP range.
set route-source-interface enable
end
Go to VPN -> SSL-VPN Portals and VPN -> SSL-VPN Settings and ensure the same IP pool is used in both places.
Using the same IP Pool prevents conflicts. If there is a conflict, the portal settings are used.
To troubleshoot slow SSL VPN throughput.
Many factors can contribute to slow throughput.
This recommendation tries to improve throughput by using the FortiOS Datagram Transport Layer Security (DTLS) tunnel option, available in FortiOS 5.4 and above.
DTLS allows SSL VPN to encrypt traffic using TLS and uses UDP as the transport layer instead of TCP. This avoids retransmission problems that can occur with TCP-in-TCP.
FortiClient 5.4.0 to 5.4.3 uses DTLS by default.
FortiClient 5.4.4 and later uses normal TLS, regardless of the DTLS setting on the FortiGate.
To use DTLS with FortiClient.
Go to File -> Settings and enable 'Preferred DTLS Tunnel'
.
To enable DTLS tunnel on FortiGate, use the following CLI commands.
# config vpn ssl settings
set dtls-tunnel enable
end
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2023 Fortinet, Inc. All Rights Reserved.