Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
smaruvala
Staff
Staff

Created on ‎01-12-2025 11:51 PM

Article Id 369685

Troubleshooting Tip: SSL VPN host check failure in FortiGate

Description This article explains how to perform the basic troubleshooting for host check failures in SSL VPN in FortiGate,
Scope FortiGate, SSL VPN.
Solution
  • The host check feature in FortiGate helps the Administrator define specific parameters to restrict the access of the SSL VPN. With the host check enabled only the endpoints that match the criteria will be able to SSL VPN in FortiGate.
  • If there is a host check issue then the FortiClient will display a message stating the endpoint did not meet the required parameters. Below is a screenshot for the same.

 

FCT_Hostcheck.png

 

  • VPN events logs in FortiGate also show this information in the 'SSL tunnel shutdown' message. The log details show more information about the reason. 

 

FGT_hostcheck.png

 

  • In FortiGate, the user can execute the below-mentioned debug to troubleshoot the issue:

 

diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application sslvpn -1
diagnose debug enable

 

  • If a host check is needed to be performed by the FortiGate, the debug shows the below-mentioned log. If there is no host check involved, the value of 'hostchk needed' will be 'zero':

 

2025-01-13 07:20:41 [2029:root:7]rmt_hcinstall_cb_handler:288 hostchk needed : 1.

 

  • If a host check is needed, the FortiGate performs the required action. The FortiGate will print the error in debug if there are any host check failures. The example logs point to a host check failure. 

 

2025-01-13 07:20:41 [2029:root:7]req: /remote/hostcheck_validate
2025-01-13 07:20:41 [2029:root:7]Transfer-Encoding n/a
2025-01-13 07:20:41 [2029:root:7]Content-Length 493
2025-01-13 07:20:41 [2029:root:7]readPostEnter:19 Post Data length 493.
2025-01-13 07:20:41 [2029:root:7]rmt_hcvalidate_cb_handler:327 enter
2025-01-13 07:20:41 [2029:root:7]host check result:4 0000,10.0.19045,00:63:68:61:86:01|00:63:68:61:86:02
2025-01-13 07:20:41 [2029:root:7]rmt_hcvalidate_cb_handler:400 hostcheck validation failed  --> Indicates host check failure

 

  • The numeric value 4 after the word 'host check result' indicates that it is a custom host check configuration that has failed. The value will be 1 for 'Antivirus check', the value will be 2 for 'Firewall check' and the value will be 3 if 'enable both' has been configured under VPN -> SSL VPN Portals -> Edit VPN Portal -> Host Check.
  • The debug output also shows the MAC address end users machines network interfaces which can be used for MAC address check. If multiple MAC addresses are available in the endpoint, they are separated by '|' in the debug output. 
1500
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.