Troubleshooting Tip: Useful commands for troubleshooting SSL VPN

otsaggos · ‎06-27-2022

Description

This article provides the basic troubleshooting commands for SSL VPN issues.

Scope

FortiGate.

Solution

To check the basic SSL VPN statistics, run the below command with the proper parameter:

diagnose vpn ssl [list/info/statistics/debug-filter/hw-acceleration-status]

list: For current connections.
info: For general information.
Statistics: For memory usage, concurrent and maximum connections.
hw-acceleration-status: For the hardware acceleration status.

On v7.2 and later, 'hw-acceleration-status' has been removed from the command list. It is being replaced by 'diagnose vpn ssl blocklist'.

This is to show the list of blocked users that exceed the 'login-attempt-limit'.

To see the entire list of debug messages for the SSL connections, run the following debug:

diagnose vpn ssl debug-filter src-addr4 x.x.x.x <----- Replace x.x.x.x with the public IP address of the client to filter for debugs related to one client IP address.

diagnose debug application sslvpn -1 <----- Shows the SSL VPN connection messages.

diagnose debug application fnbamd -1 <----- Shows the authentication process.

diagnose debug application authd -1 <---- Shows the authenticated users.

diagnose debug application samld -1 <----- If SAML authentication is being used to connect the SSL VPN.

diagnose debug enable <----- Starts the debug process.

diagnose debug disable <----- Stops the debug process.

Related article:

Troubleshooting Tip: SSL VPN Troubleshooting - Fortinet Community

Troubleshooting Tip: Useful commands for troubleshooting SSL VPN

You are leaving our website