FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
asharopov
Staff
Staff

Description
This article describes how to check why SSLVPN connections are not possible.
This, when triggered, leaves following traces in the Crashlog:


#2010-11-02 20:09:22 SSL VPN enter conserve mode.


The typical behavior: No SSLVPN  Web portal connections are accepted. Users get 503 Service Temporarily Unavailable" error.

Solution
SSLVPN in FortiOS has its own Conserve Mode, which is triggered before the regular system conserve mode. Reason for this is the MEM tension on the system.

Troubleshooting steps:

1) Check the general MEM consumption. If it's in the higher end, follow further steps:

#diag sys top-summary


2) Change to the VDOM, if there is one configured

3) Check if SSLVPN conserve mode has occurred in the system:

Fortigate # diag vpn ssl statistics
SSLVPN statistics (root):
------------------
Memory unit:               1
System total memory:       2111090688
System free memory:        1140170752
SSLVPN memory margin:      314572800
SSLVPN state:              conserve

Max number of users:       1
Max number of tunnels:     0
Max number of connections: 6

Current number of users:       0
Current number of tunnels:     0
Current number of connections: 0

Solution: MEM consumption should be reduced by optimizing the firewall configuration (UTM profiles, Traffic shaping, Logging, etc).

 

 

Contributors