Description
This article describes how to check why DTLS is not negotiated. DTLS can improve SSL VPN performance it is enabled by default on FortiSASE. It may fail to negotiate if UDP port 443 is blocked.
Scope
FortiSASE.
Solution
- Collect the FortiClient Diagnostic Tool and extract the zip file. Open the log file.
Diagnostic_Result\FCDiagData\general\logs\trace\sslvpndaemon_1.log
Example of an error can be seen below:
[2024-10-09 10:20:31.5995991 UTC-05:00] [9960:27400] [sslvpndaemon 524 info] PreferDtlsTunnel=1
[2024-10-09 10:20:34.6107378 UTC-05:00] [9960:27400] [sslvpndaemon 2475 error] DTLS connection timeout.
[2024-10-09 10:20:34.7201226 UTC-05:00] [9960:27400] [sslvpndaemon 524 info] PreferDtlsTunnel=1
[2024-10-09 10:20:37.7240204 UTC-05:00] [9960:27400] [sslvpndaemon 2475 error] DTLS connection timeout.
[2024-10-09 10:20:37.9261482 UTC-05:00] [9960:27400] [sslvpndaemon 524 info] PreferDtlsTunnel=1
[2024-10-09 10:20:40.9352332 UTC-05:00] [9960:27400] [sslvpndaemon 2475 error] DTLS connection timeout.
-
Perform a packet capture on the Windows PC. Packet capture shows DTLS is not negotiated and no traffic on UDP 443.
-
UDP 443 can be blocked by software installed on the computer such as Host-Based Firewall, Web-filter agent, and others. Add an exception or allow it.
-
Disconnect FortiClient VPN and reconnect. Initially, it connects to TLS 1.3 and DTLS will be negotiated.
Related document:
