Description

This article describes how to check why SSL VPN connections are not possible.
This, when triggered, leaves the following traces in the crashlog:

diagnose debug crashlog read

Output example: 

2010-11-02 20:09:22 SSL VPN enter conserve mode.

The typical behavior: No SSL VPN Web portal connections are accepted. Users get the '503 Service Temporarily Unavailable' error.

Scope

FortiGate.

Solution

SSL VPN in FortiOS has its own Conserve Mode, which is triggered before the regular system conserve mode. This is caused by MEM tension on the system.

Troubleshooting steps:

1. Check the general MEM consumption. If it is in the higher end, follow these steps:

Run the following command: 

diag sys top-summary

As of version 7.2.x and above, the following command can be used:

diag sys top-mem

If the Firewall is in VDOM mode, make sure to change to the VDOM.

2. Check if SSLVPN conserve mode has occurred in the system:

Fortigate # diag vpn ssl statistics
SSLVPN statistics (root):
------------------
Memory unit:               1
System total memory:       2111090688
System free memory:        1140170752
SSLVPN memory margin:      314572800
SSLVPN state:              conserve

Max number of users:       1
Max number of tunnels:     0
Max number of connections: 6

Current number of users:       0
Current number of tunnels:     0
Current number of connections: 0

Solution: Adjust metrics like (UTM profiles, Traffic shaping, Logging or any process that is using large amounts of memory etc.) to reduce the MEM and Memory consumption of the FortiGate firewall. 

Related documents:

• Technical Tip: Free up memory to avoid conserve mode 
• Technical Tip: Reduce memory usage by reducing the number of spawned daemons