Description
This article describes how to troubleshoot the SSL VPN issue.
Scope
FortiGate v6.4.x, v7.0.x,.v72.x, v7.4.x, v7.6.x.
Solution
SSL VPN debug command.
Use the following diagnose commands to identify SSL VPN issues. These commands enable debugging of SSL VPN with a debug level of -1 for detailed results.
diagnose vpn ssl debug-filter src-addr4 x.x.x.x
diagnose debug application sslvpn -1
diagnose debug enable
Note:
x.x.x.x should be the public IP of the connecting user. The filter will ensure that the debug information relevant only to traffic from the specified IP address is captured, helping to focus on specific client troubleshooting.
The CLI displays debug output similar to the following:
[282:root]SSL state:before/accept initialization (172.20.120.12)
[282:root]SSL state:SSLv3 read client hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write server hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write change cipher spec A (172.20.120.12)
[282:root]SSL state:SSLv3 write finished B (172.20.120.12)
[282:root]SSL state:SSLv3 flush data (172.20.120.12)
[282:root]SSL state:SSLv3 read finished A:system lib(172.20.120.12)
[282:root]SSL state:SSLv3 read finished A (172.20.120.12)
[282:root]SSL state:SSL negotiation finished successfully (172.20.120.12)
[282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
To disable the debug.
diagnose debug disable
diagnose debug reset
Remote user authentication debug command.
Use the following diagnose commands to identify remote user authentication issues.
diagnose debug application fnbamd -1
diagnose debug enable
Use the following diagnose commands to identify SAML user authentication issues.
diagnose debug application samld -1
diagnose debug enable
Troubleshooting common issues:
To troubleshoot getting no response from the SSL VPN URL:
Note:
Starting from FortiGate v7.4, SSL VPN GUI menu visibility is disabled by default. If SSL VPN web mode and tunnel mode were configured in a FortiOS firmware version before upgrading to FortiOS 7.4.1 and above, then the VPN -> SSL-VPN menus and SSL VPN web mode settings will remain visible in the GUI.
To enable the SSL VPN GUI menu, go to System -> Feature Visibility and toggle the SSL VPN radio button.
To troubleshoot FortiGate connection issues.
To troubleshoot SSL VPN hanging or disconnecting at 48%.
To troubleshoot SSL VPN hanging or disconnecting at 98%.
A new SSL VPN driver was added to FortiClient 5.6.0 and later to resolve SSL VPN connection issues. If the FortiOS version is compatible, upgrade to use one of these versions. Latency or poor network connectivity can cause login timeout on FortiGate. In v5.6.0 and later, use the following commands to allow a user to increase the SSL VPN login timeout setting.
config vpn ssl settings
set login-timeout 180 (default is 30)
set dtls-hello-timeout 60 (default is 10)
end
To troubleshoot tunnel mode connections shutting down after a few seconds.
This happens if there are multiple interfaces connected to the Internet, for example, SD-WAN. This can cause the session to become 'dirty'.
To allow multiple interfaces to connect, use the following CLI commands.
For v6.0.1 or later.
config system interface
edit <name>
set preserve-session-route enable
next
end
For v6.0.0 or earlier.
config vpn ssl settings
set route-source-interface enable
end
To troubleshoot users being assigned to the wrong IP range.
Go to VPN -> SSL-VPN Portals and VPN -> SSL-VPN Settings and ensure the same IP pool is used in both places. Using the same IP Pool prevents conflicts. If there is a conflict, the portal settings are used.
To troubleshoot slow SSL VPN throughput.
Many factors can contribute to slow throughput.
This recommendation aims to improve throughput by using the FortiOS Datagram Transport Layer Security (DTLS) tunnel option, available in FortiOS 5.4 and above.
DTLS allows SSL VPN to encrypt traffic using TLS and uses UDP as the transport layer instead of TCP. This avoids retransmission problems that can occur with TCP-in-TCP.
FortiClient 5.4.0 to 5.4.3 uses DTLS by default.
FortiClient 5.4.4 and later uses normal TLS, regardless of the DTLS setting on the FortiGate.
To use DTLS with FortiClient:
Go to File -> Settings and enable 'Preferred DTLS Tunnel'.
To enable the DTLS tunnel on FortiGate, use the following CLI commands.
config vpn ssl settings
set dtls-tunnel enable
end
Too many failed login attempts (brute force) can cause high resource consumption and slow down performance. To prevent it, do the following:
Additionally, to check the basic SSL VPN statistics, run the following command with the proper parameter:
diagnose vpn ssl [list/info/statistics/debug-filter/hw-acceleration-status]
Notes:
V7.2.6+:
[list/mux/mux-stat/statistics/tunnel-test/web-mode-test/saml-metadata/info/blocklist/debug-filter/client]
V7.4.1+:
[list/mux/mux-stat/statistics/tunnel-test/web-mode-test/saml-metadata/info/blocklist/dist-usr/peer-name/usr-chg/debug-filter/client]
For slow file transfer issues, refer to this article.
Note:
SSL VPN is no longer supported on FortiGate with 2 GB RAM or less, starting from v7.6.0 and above.
Related document:
SSL VPN removed from 2GB RAM models for tunnel and web mode
To confirm if a FortiGate has 2 GB RAM or less, enter the command 'diagnose hardware sysinfo conserve' in CLI. If the total RAM is less than 2000 MB, it means the device has 2 GB RAM or less.
Related articles:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.