FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rsondal
Staff
Staff
Article Id 275149
Description

This article describes why SSL VPN fails at 10% due to an issue with network connection to the FortiGate.

Scope FortiGate.
Solution
  1. If the SSL VPN is behind NAT it will fail at 10%. For this issue, it is necessary to do a port forwarding rule for the SSL VPN port and point it to the FortiGate WAN interface IP on your ISP modem. See Technical Tip: SSL VPN behind NAT for more information on this.
  2. Make sure that internet connectivity is working on the remote user end:

 

1.JPG

 

  1. Make sure to be able to telnet the SSL VPN server IP on the SSL VPN port on the remote system.

 

2.JPG

 

  1. Make sure that the SSL VPN configuration on FortiClient is correct:

 

3.JPG

 

  1. Make sure the external public IP is not getting denied by the firewall local in the policy. Check the below screenshot for how to locate local in policy on FortiGate:

 

4.JPG

 

  1. Make sure to use the server certificate in SSL VPN settings in FortiGate:

 

5.JPG

 

  1. Make sure that there is a firewall policy with Interface an SSL VPN tunnel interface:

 

6.JPG

 

  1. Make sure there is no open VIP for all the ports on the firewall with the same external IP and also no VIP with a forward port to the same SSL VPN port:

 

7.JPG

 

8.JPG

 

  1. Sometimes, if a source address is defined in the SSL VPN settings and the Source negate option is enabled in the VPN setting on CLI, then the process will also fail at 10%. Disabling source-address-negate will make it pass this 10% fail error.

                

    config vpn ssl setting

        set source-address-negate disable

    end

 

  1. Make sure the setting 'Restrict access' is set to 'Allow access from any host'. If it is set to 'Limit access to specific host', make sure the client public IP is allowed.


Screenshot 2024-12-17 092021.jpg

All these reasons can cause SSL VPN to fail at 10%. Make sure all these are correct and if still does not work, feel free to open a TAC support case if require any further help.