Troubleshooting Tip: Why SSL VPN connectivity fails at 10%

1. If the SSL VPN is behind NAT it will fail at 10%. For this issue, it is necessary to do a port forwarding rule for the SSL VPN port and point it to the FortiGate WAN interface IP on your ISP modem. See Technical Tip: SSL VPN behind NAT for more information on this.
2. Make sure that internet connectivity is working on the remote user end:

3. Make sure to be able to telnet the SSL VPN server IP on the SSL VPN port on the remote system.

4. Make sure that the SSL VPN configuration on FortiClient is correct:

5. Make sure the external public IP is not getting denied by the firewall local in the policy. Check the below screenshot for how to locate local in policy on FortiGate:

6. Make sure to use the server certificate in SSL VPN settings in FortiGate:

7. Make sure that there is a firewall policy with Interface an SSL VPN tunnel interface:

8. Make sure there is no open VIP for all the ports on the firewall with the same external IP and also no VIP with a forward port to the same SSL VPN port:

9. Sometimes, if a source address is defined in the SSL VPN settings and the Source negate option is enabled in the VPN setting on CLI, then the process will also fail at 10%. Disabling source-address-negate will make it pass this 10% fail error.

    config vpn ssl setting

        set source-address-negate disable

    end

All these reasons can cause SSL VPN to fail at 10%. Make sure all these are correct and if still does not work, feel free to open a TAC support case if require any further help.