Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SLG
New Contributor

SSL VPN Slow on Domain Login

Hi Everyone,

I have a strange issue.

So we use SSL VPN's and it seems that some users have this issue and some do not.

 

To Note:

The same computer is used (Windows OS)

The same WiFI is used (other Wifis have been tested with the same result)

The same login to the VPN (which is SAML based)

The same SSL VPN is used (others have been tested with also the same result)

Forticlient version 7.0.5 and 7.0.6 have been used

EMS is version 7.0.4

Fortigate is version 7.2.0

 

When the computer is logged in as a local user to the computer the SSL VPN works great. No issued.

When the computer is logged in as a domain user (whether its an admin or regular) there is severe latancy - so bad its unusable. I thought it might be group policy based but I cannot see anything which would cause this.

Any ideas?

 

#forticlient #SSLVPN #FortiGate

7 REPLIES 7
Anthony_E
Community Manager
Community Manager

Hello SLG,

 

I have found this document which explains how to troubleshoot some issues:

 

https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/993282/troubleshooting-commo...

 

Could you please telle me if it helps?

 

Regards,

 

Anthony-Fortinet Community Team.
SLG
New Contributor

 Hi Anthony,

Thank you for your reply - I have looked through all the troubleshooting but it doesnt seem to be an issue with the tunnel  itself as it works fine when I am logged in as a non domain user to the computer,

Thanks,

Sara

Anthony_E
Community Manager
Community Manager

Hello,

 

We are still looking for an answer to your question.

We will come back to you as soon as we get it.

 

Regards,

Anthony-Fortinet Community Team.
Markus_M
Staff
Staff

Hi SLG,

 

Interesting issue. To recap. The difference is the end user logging in as local user or domain user, in both cases no connectivity is given towards the domain controller.

What exactly is slow?

- The logon process?

- The general VPN connection after login?

Doesn't sound like it, but any better with a LAN cable, instead of using wireless? With the description I would not think so, but well, wireless can be flaky.

 

GPO might really be something, it depends on the GPO is for some reason changing the FortiClients' configuration, for example, the domain user has DTLS enabled, the local user has it disabled (or simply the tunnel settings are different).

 

Best regards,

 

Markus

 

SLG
New Contributor

Hi Markus.

Thank you for your comment.

The only difference I have been able to track it down to is yes logging in as a local user compared to logging in as a domain user.

The local user has perfectly fine connection once the VPN is up 

The domain user has severe latency - with speeds below the 1mbps once connected to the VPN (before connecting speeds are above 100mbps)

The logon process is fine - I do not rely on the vpn to logon.

It is the speed of connection to the internet once connected to the VPN- doesnt seem to matter what site whether it is an internal ip or a public facing one.

Connecting via ethernet doesnt make any difference.

Do you know any specific GPO's that can do this? As currently I am looking into this and its like trying to find a needle in a haystack.

Thanks.

Sara

RachelGomez123
Contributor

Steps to fix SSL VPN Slow on Domain Login-

 

Verify the user's portal accessibility
Ensure that the SSL VPN service is selected for the >WAN interface under Administration > Device access.Verify the admin port settings
Ensure the SSL VPN users access the portal using the port configured under Administration > Admin and user settings > Admin console and end-user interaction.

Ports.PNG

Verify the certificate
Make sure that the proper certificate is associated with the SSL VPN user. Using the appliance certificate and regenerate the certificate if required is recommended. For more information, go to Sophos Firewall: Self-signed certificates are not supported.

Verify the logs from the GUI
Go to Log viewer and filter the Log comp to SSL VPN.

Filter.PNG

Verify the SSL VPN traffic flow from the console
Sign in to the command-line interface (CLI) and select 4: Device Console. Run the following command, which uses the default SSL VPN port 8443, to analyze the output.

tcpdump "port 8443"

tidy_fix_alt

Verify the logs from the advance shell
Sign in to the command-line interface (CLI) and select 5: Device Management, then 3: Advanced Shell, and run the following command:

tail -f /log/sslvpn.log

tidy_fix_alt

Verify the logs from SSL VPN Client
Right-click the SSL VPN Client on the taskbar of your computer and select View Log.

Verify the user has a proper SSL VPN remote access policy assigned
Go to Authentication > Users and confirm that the SSL VPN user has two or more simultaneous logins allowed under SSL VPN policy, in case the user is simultaneously logged in from a different device at the same time.

Simultaneous.PNG

Verify the SSL VPN authentication method
When receiving Auth-failure error messages in logs, verify the authentication method under Authentication > Services > SSL VPN authentication methods.

 

Greeting,

Rachel Gomez

SLG

Hi Rachel,

I log into the tunnel with the same user it is only the computer i login to with a different user.

Thanks,

Sara

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors