- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SSL VPN Slow on Domain Login
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL VPN Slow on Domain Login
Hi Everyone,
I have a strange issue.
So we use SSL VPN's and it seems that some users have this issue and some do not.
To Note:
The same computer is used (Windows OS)
The same WiFI is used (other Wifis have been tested with the same result)
The same login to the VPN (which is SAML based)
The same SSL VPN is used (others have been tested with also the same result)
Forticlient version 7.0.5 and 7.0.6 have been used
EMS is version 7.0.4
Fortigate is version 7.2.0
When the computer is logged in as a local user to the computer the SSL VPN works great. No issued.
When the computer is logged in as a domain user (whether its an admin or regular) there is severe latancy - so bad its unusable. I thought it might be group policy based but I cannot see anything which would cause this.
Any ideas?
#forticlient #SSLVPN #FortiGate
Labels:
- Labels:
-
FortiClient
-
FortiClient EMS
-
FortiGate
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello SLG,
I have found this document which explains how to troubleshoot some issues:
Could you please telle me if it helps?
Regards,
Anthony-Fortinet Community Team.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Anthony,
Thank you for your reply - I have looked through all the troubleshooting but it doesnt seem to be an issue with the tunnel itself as it works fine when I am logged in as a non domain user to the computer,
Thanks,
Sara
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
We are still looking for an answer to your question.
We will come back to you as soon as we get it.
Regards,
Anthony-Fortinet Community Team.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi SLG,
Interesting issue. To recap. The difference is the end user logging in as local user or domain user, in both cases no connectivity is given towards the domain controller.
What exactly is slow?
- The logon process?
- The general VPN connection after login?
Doesn't sound like it, but any better with a LAN cable, instead of using wireless? With the description I would not think so, but well, wireless can be flaky.
GPO might really be something, it depends on the GPO is for some reason changing the FortiClients' configuration, for example, the domain user has DTLS enabled, the local user has it disabled (or simply the tunnel settings are different).
Best regards,
Markus
Created on 08-15-2022 07:23 AM Edited on 08-15-2022 07:28 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Markus.
Thank you for your comment.
The only difference I have been able to track it down to is yes logging in as a local user compared to logging in as a domain user.
The local user has perfectly fine connection once the VPN is up
The domain user has severe latency - with speeds below the 1mbps once connected to the VPN (before connecting speeds are above 100mbps)
The logon process is fine - I do not rely on the vpn to logon.
It is the speed of connection to the internet once connected to the VPN- doesnt seem to matter what site whether it is an internal ip or a public facing one.
Connecting via ethernet doesnt make any difference.
Do you know any specific GPO's that can do this? As currently I am looking into this and its like trying to find a needle in a haystack.
Thanks.
Sara
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Steps to fix SSL VPN Slow on Domain Login-
Verify the user's portal accessibility
Ensure that the SSL VPN service is selected for the >WAN interface under Administration > Device access.Verify the admin port settings
Ensure the SSL VPN users access the portal using the port configured under Administration > Admin and user settings > Admin console and end-user interaction.
Ports.PNG
Verify the certificate
Make sure that the proper certificate is associated with the SSL VPN user. Using the appliance certificate and regenerate the certificate if required is recommended. For more information, go to Sophos Firewall: Self-signed certificates are not supported.
Verify the logs from the GUI
Go to Log viewer and filter the Log comp to SSL VPN.
Filter.PNG
Verify the SSL VPN traffic flow from the console
Sign in to the command-line interface (CLI) and select 4: Device Console. Run the following command, which uses the default SSL VPN port 8443, to analyze the output.
tcpdump "port 8443"
tidy_fix_alt
Verify the logs from the advance shell
Sign in to the command-line interface (CLI) and select 5: Device Management, then 3: Advanced Shell, and run the following command:
tail -f /log/sslvpn.log
tidy_fix_alt
Verify the logs from SSL VPN Client
Right-click the SSL VPN Client on the taskbar of your computer and select View Log.
Verify the user has a proper SSL VPN remote access policy assigned
Go to Authentication > Users and confirm that the SSL VPN user has two or more simultaneous logins allowed under SSL VPN policy, in case the user is simultaneously logged in from a different device at the same time.
Simultaneous.PNG
Verify the SSL VPN authentication method
When receiving Auth-failure error messages in logs, verify the authentication method under Authentication > Services > SSL VPN authentication methods.
Greeting,
Rachel Gomez
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Rachel,
I log into the tunnel with the same user it is only the computer i login to with a different user.
Thanks,
Sara
Related Posts
Labels
-
FortiGate
6,571 -
FortiClient
1,308 -
5.2
801 -
5.4
639 -
FortiManager
568 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
338 -
FortiAP
336 -
FortiClient EMS
267 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
25 -
Firewall policy
24 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SSO
6 -
Traffic shaping policy
5 -
SNMP
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Email filter profile
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.