1. If the SSL VPN is behind NAT, it will fail at 10%. For this issue, it is necessary to do a port forwarding rule for the SSL VPN port and point it to the FortiGate WAN interface IP on the ISP modem. See Technical Tip: SSL VPN behind NAT for more information on this.
2. Verify that internet connectivity is working on the remote user's end:

3. Verify to be able to telnet the SSL VPN server IP on the SSL VPN port on the remote system.

4. Verify that the SSL VPN configuration on FortiClient is correct:

5. Verify the external public IP is not getting denied by the firewall locally in the policy. Check the screenshot below for how to locate the local in policy on FortiGate:

6. Verify to use the server certificate in SSL VPN settings in FortiGate:

7. Verify that there is a firewall policy with an Interface and an SSL VPN tunnel interface:

8. Verify there is no open VIP for all the ports on the firewall with the same external IP, and also no VIP with a forward port to the same SSL VPN port:

9. Sometimes, if a source address is defined in the SSL VPN settings and the Source negate option is enabled in the VPN setting on the CLI, then the process will also fail at 10%. Disabling source-address-negate will make it pass this 10% fail error.

config vpn ssl setting

    set source-address-negate disable

end

10. Verify the setting 'Restrict access' is set to 'Allow access from any host'. If it is set to 'Limit access to specific host', Verify the client's public IP is allowed.

11. If FortiGate is operating in NGFW policy-based mode and no SSL VPN process is found when running 'diagnose sys tcpsock | grep ssl', the issue could be with a missing SSL Inspection & Authentication policy as per the following article: Technical Tip: SSL VPN is not working when FortiGate is on NGFW Policy-based.
    
    
12. Verify that the SSL VPN is enabled.
     

     

13. If the remote gateway is a DDNS domain, ensure that the hostname is being resolved to the correct public IP. Check it using nslookup via Command Prompt. If the DDNS configured in the FortiGate resolves to the firewall's old public IP, which has been updated already, refer to this KB article: Troubleshooting Tip: FortiGuard DDNS IP update fails.
    
    
14. If the virtual interface (for example, ssl.root when SSL VPN is configured on the root VDOM) is down, users will experience connectivity failures. Ensure that the virtual interface status is set to 'up'. This setting is visible in the CLI, and by default, the status is 'up'.
    
    

config system interface

    edit "ssl.root" 

        set vdom "root"

        set status down
        set type tunnel
        set alias "SSL VPN interface"
        set snmp-index 14

    next

end

All the reasons above could cause the SSL VPN connection to fail at 10%. Verify all these are correct, and if the above steps fail to resolve the problem, consider opening a TAC support case if any further help is required.

Note: The SSL VPN tunnel mode feature has be removed from certain FortiOS versions and FortiGate models , consult the articles below for more details.

• SSL VPN tunnel mode replaced with IPsec VPN | FortiGate / FortiOS 7.6.4 | Fortinet Document Library
• SSL VPN removed from 2GB RAM models for tunnel and web mode | FortiGate / FortiOS 7.6.0 | Fortinet D...
• Technical Tip: SSL VPN support on FortiGate models

Related article: 

Troubleshooting Tip: SSL VPN Troubleshooting