While troubleshooting users being unable to connect to SSL VPN, debug logs may show the error 'fsv_blocklist_check:65 locked'.

diagnose vpn ssl debug-filter src-addr4 <public_ip>
diagnose debug sslvpn -1
diagnose debug en

To stop the debug, run the following commands:

diagnose debug disable

diagnose debug reset

[5324:root:23]req: /remote/info
[5324:root:23]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[5324:root:23]capability flags: 0x3cdf
[5324:root:23]req: /remote/login
[5324:root:23]rmt_web_auth_info_parser_common:533 no session id in auth info
[5324:root:23]rmt_web_get_access_cache:885 invalid cache, ret=4103
[5324:root:23]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[5324:root:23]fsv_blocklist_check:65 locked: rowid=1,host=192.168.10.110
[5324:root:23]req: /remote/logincheck
[5324:root:23]fsv_blocklist_check:65 locked: rowid=1,host=192.168.10.110
[5324:root:23]Transfer-Encoding n/a
[5324:root:23]Content-Length 173
[5324:root:23]readPostEnter:19 Post Data length 0.
[5324:root:23]sslConnGotoNextState:318 error (last state: 1, closeOp: 0)
[5324:root:23]Destroy sconn 0x548de800, connSize=0. (root)
[5324:root:23]SSL state:warning close notify (192.168.10.110)

Solution:

The reason for this message is due to the incorrect username and password being attempted too many times, resulting in the firewall blocking the source from connecting to the VPN.

If on a supported version (v7.2.6+, v7.4.1+, v7.6.0+), it is possible to view this blocklist and remove the IP from it.

See this article for more details: Technical Tip: How to unblock IP addresses from the SSL VPN blocklist

Related article:

Technical Tip: How to limit SSL VPN login attempts and block duration