FortiSASE
FortiSASE delivers both a consistent security posture and an optimal user experience for users working from anywhere. Secure your hybrid workforce by closing security gaps, plus simplify operations.
sjoshi
Staff
Staff
Article Id 322577
Description

 

This article describes key troubleshooting steps to help resolve connectivity issues between endpoints and FortiSASE VPN SSO, ensuring reliable access and enhanced security.

 

Scope

 

FortiSASE.

 

Solution

 

Below are the steps to troubleshoot a FortiSASE VPN issue:

 

  1. Verify the FortiSASE VPN SSO is configured properly from the FortiSASE Portal:

 

Refer to this article:

Technical Tip: Optimizing Secure Remote Access - a comprehensive guide to FortiClient VPN SSO integr...

 

  1. Using FortiGate Support Tool to Obtain Configuration Files.

     

    Install the 'FortiGate Support Tool' and it is publicly available on the Google Chrome Web Store.
    Once that it is installed then create a new capture log in to FortiSASE and stop the capture after some time.

            

    Select New Capture and post that it will start capturing.

     

    Picture1.png

     

     

    Once the capture is completed then again open the FortiGate Support Tool extension in another tab select View Existing Capture and select the file.

     

    Picture1.png

              

     

    The config can be downloaded and checked for any issue with the configuration.

     

    Picture1.png

     

     

    Follow the below article to get more details about the FortiGate Support Tool:

    Troubleshooting Tip: Collect GUI slowness and errors debugs via FortiGate Support Tool

     

     

  2. Use SAML Tracer to view SAML logs.

     

    Install the SAML tracer in the Chrome browser and try to log in to the VPN via the web mode.
    Go to Configuration -> VPN User SSO copy the Portal (Sign On) URL and paste it into Chrome.
       

    While login the VPN via the web mode SSO, run the SAML-tracer and it will give the below output:

        Picture1.png

     

    Now, select those lines where it shows as SAML.
    Then, the SAML messages can be viewed and any issues with the SAML can be verified.

        Picture1.png

     

     

    Follow the below article to get more details about the SAML Tracer Tool:
    Technical Tip: How to record a client SAML trace

     

     

  3. Collect sslvpnd Debug Output.

     

    While trying to connect the VPN open the FortiGate Support Tool mentioned in Step 2 and before starting the capture select Daemon Logging and add sslvpnd daemon.

    Once the capture is started then initiate the VPN connection.

     

    Picture1.png

     

    After that, the sslvpnd debug output can also be viewed to help verify the issue.

     

    Picture1.png

     

     

  4. Using Wireshark to Analyze TCP Stream.

     

    Install Wireshark in the endpoint and open it while trying to connect to the VPN.
    Filter out with the IP address of the SASE VPN remote GW and check the TCP stream which can help to check if there is any issue with the TCP connection.

     

     


    To find the IP address of the SASE VPN Remote GW.
    Open the FCT, go to Remote Access -> Remote Gateway, and copy the URL.
    Perform the nslookup for that URL in the endpoint which will resolve the URL to a specific IP address and it is possible to use that IP address to filter the packet flow in the Wireshark.

     

     

  5. View the VPN Event logs.

     

    Go to Analytics -> Logs -> Events -> VPN Events.

    VPN activity events can be verified from here.