The user is not able to connect to the SSL VPN and the error 'credential or SSL VPN configuration is wrong.' (-7200). is seen.

In order to see what is going wrong with the SSL VPN, take the following debug:

diagnose debug reset

diagnose vpn ssl debug-filter src-addr4 x.x.x.x
diagnose debug application sslvpn -1

diagnose debug application fnbamd -1
diagnose debug enable

To clear the filter,  enter the following command:

diagnose vpn ssl debug-filter clear

Note:

x.x.x.x should be the public IP of the connecting user. The filter will ensure that the debug information relevant only to traffic from the specified IP address is captured, helping to focus on specific client troubleshooting.

Here is the output after a failed connection attempt:

It is seen that the FortiGate is configured with an LDAP server and that the user is a part of two groups: 'example_group' and 'Domain Users'. When checking the configured LDAP group in the policy, the AD group information is missing.

Here is the configuration after an AD group is added:

Once applied, the user will be able to connect to the SSL VPN successfully.