This article describes key troubleshooting steps to help resolve connectivity issues between endpoints and FortiSASE VPN SSO, ensuring reliable access and enhanced security.
FortiSASE.
Below are the steps to troubleshoot a FortiSASE VPN issue:
Refer to this article:
Using FortiGate Support Tool to Obtain Configuration Files.
Install the 'FortiGate Support Tool' and it is publicly available on the Google Chrome Web Store.
Once that it is installed then create a new capture log in to FortiSASE and stop the capture after some time.
Select New Capture and post that it will start capturing.
Once the capture is completed then again open the FortiGate Support Tool extension in another tab select View Existing Capture and select the file.
The config can be downloaded and checked for any issue with the configuration.
Follow the below article to get more details about the FortiGate Support Tool:
Troubleshooting Tip: Collect GUI slowness and errors debugs via FortiGate Support Tool
Use SAML Tracer to view SAML logs.
Install the SAML tracer in the Chrome browser and try to log in to the VPN via the web mode.
Go to Configuration -> VPN User SSO copy the Portal (Sign On) URL and paste it into Chrome.
While login the VPN via the web mode SSO, run the SAML-tracer and it will give the below output:
Now, select those lines where it shows as SAML.
Then, the SAML messages can be viewed and any issues with the SAML can be verified.
Follow the below article to get more details about the SAML Tracer Tool:
Technical Tip: How to record a client SAML trace
Collect sslvpnd Debug Output.
While trying to connect the VPN open the FortiGate Support Tool mentioned in Step 2 and before starting the capture select Daemon Logging and add sslvpnd daemon.
Once the capture is started then initiate the VPN connection.
After that, the sslvpnd debug output can also be viewed to help verify the issue.
Using Wireshark to Analyze TCP Stream.
Install Wireshark in the endpoint and open it while trying to connect to the VPN.
Filter out with the IP address of the SASE VPN remote GW and check the TCP stream which can help to check if there is any issue with the TCP connection.
To find the IP address of the SASE VPN Remote GW.
Open the FCT, go to Remote Access -> Remote Gateway, and copy the URL.
Perform the nslookup for that URL in the endpoint which will resolve the URL to a specific IP address and it is possible to use that IP address to filter the packet flow in the Wireshark.
View the VPN Event logs.
Go to Analytics -> Logs -> Events -> VPN Events.
VPN activity events can be verified from here.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.