Description
This article describes how to check why SSL VPN connections are not possible.
This, when triggered, leaves the following traces in the crashlog:
diagnose debug crashlog read
Output example:
2010-11-02 20:09:22 SSL VPN enter conserve mode.
The typical behavior: No SSL VPN Web portal connections are accepted. Users get the '503 Service Temporarily Unavailable' error.
Scope
FortiGate.
Solution
SSL VPN in FortiOS has its own Conserve Mode, which is triggered before the regular system conserve mode. This is caused by MEM tension on the system. FortiGate units perform all security profile processing in physical RAM. Since each model has a limited amount of
memory, Kernel conserve mode is activated when the remaining free memory is nearly exhausted or the AV proxy has reached the maximum number of sessions it can service.
Troubleshooting steps:
- Check the general MEM consumption. If it is in the higher end, follow these steps:
Run the following command:
diagnose system top-summary
As of version 7.2.x and above, the following command can be used:
diagnose system top-mem
If the Firewall is in VDOM mode, make sure to change to the VDOM.
- Check if SSLVPN conserve mode has occurred in the system:
Fortigate # diagnose vpn ssl statistics
SSLVPN statistics (root):
------------------
Memory unit: 1
System total memory: 2111090688
System free memory: 1140170752
SSLVPN memory margin: 314572800
SSLVPN state: conserve
Max number of users: 1
Max number of tunnels: 0
Max number of connections: 6
Current number of users: 0
Current number of tunnels: 0
Current number of connections: 0
Solution: Adjust metrics like (UTM profiles, Traffic shaping, Logging or any process that is using large amounts of memory etc.) to reduce the MEM and Memory consumption of the FortiGate firewall.
Related documents:
