Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dasilva13
New Contributor

VPN stops working - need reboot of entire system

Has anyone else had issues with SSLVPN service just stop working? And the only way to have it work again is to reboot entire FortiGate? My users would complain about VPN not working, and then I would try to get to port :10443 and it would not go through. After reboot it would come back up and work normally for some time. does not mention conserve mode, and I have had it happen on all versions from 60c to 100d.
17 REPLIES 17
Brady_R__Houser
New Contributor

I' ve had problems in the past where changing the SSL port causes issues. I' d recommend seeing if changing it to 443 fixes your issues.
dasilva13
New Contributor

I have tried that but still doesn' t resolve issue. wish I could restart just the VPN service via CLI
Istvan_Takacs_FTNT

Your wish is granted; # diag sys top <--- use this command to find out if anything' s hogging the system resources. It might not be the SSL VPN, but some other process and it only suffers as the result. #diag sys kill 11 <process ID from the previous command>
dasilva13
New Contributor

I have tried that numerous times and still doesn' t fix the VPN down issue. Diag sys top does not show anything out of the usual as well. Will probably have to contact TAC about this.
scott_thomas
New Contributor

We run into this every now and then. I notice it after making changes to the SSLVPN rules or settings. I fix it without rebooting by going to the rules and disabling them and then re-enabling them. You should be able to write a quick script for this as well pretty easily.
dasilva13

I will try that, but I don' t ever make changes on it and it still does it. So you mean disabling the IPV4 rules for it? then enabling them?
scott_thomas
New Contributor

Yep disable the ipv4 rules for them and re-enable them. That is what has been fixing ours.
FatalHalt
Contributor II

I had something similar to this where the SSLVPN (when accessed from the browser) would display an Error: 400. The VPN logs showed that the box was entering into an ' SSLVPN Conserve Mode' ... which made no sense since nothing else on the box reported any sort of conserve or memory issues. Think eventually I changed a few settings around for some memory management, don' t think it' s happened in the past two months now.... beats me.
Christopher_McMullan

The SSLVPN daemon has its own threshold for going into conserve mode separately from the rest of the firewall as a preventive measure; to stop itself from being part of the problem. As of FortiOS 5.0.4, a command was added (' diag vpn ssl stat' ) to view the current state of the SSLVPN process vis-à-vis SSLVPN conserve mode. It actually goes down to the level of detail of describing the maximum number of concurrent connections, the number of current connections, and how many more you have left: FortiMcWiFi # di vpn ssl stat SSLVPN statistics: ------------------ Memory unit: 1 System total memory: 457850880 System free memory: 91561984 SSLVPN memory margin: 45785088 SSLVPN state: normal Max number of users: 1 Max number of tunnels: 1 Max number of connections: 7 Current number of users: 0 Current number of tunnels: 0 Current number of connections: 0 FortiMcWiFi # If the SSLVPN state goes from ' normal' to ' busy' , then the VPN daemon is in conserve mode to prevent the whole system from failing open. Taking care of memory issues will usually allow the process to return to normal.

Regards, Chris McMullan Fortinet Ottawa

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors