The SSLVPN daemon has its own threshold for going into conserve mode separately from the rest of the firewall as a preventive measure; to stop itself from being part of the problem.
As of FortiOS 5.0.4, a command was added (' diag vpn ssl stat' ) to view the current state of the SSLVPN process vis-Ã -vis SSLVPN conserve mode. It actually goes down to the level of detail of describing the maximum number of concurrent connections, the number of current connections, and how many more you have left:
FortiMcWiFi # di vpn ssl stat
SSLVPN statistics:
------------------
Memory unit: 1
System total memory: 457850880
System free memory: 91561984
SSLVPN memory margin: 45785088
SSLVPN state: normal
Max number of users: 1
Max number of tunnels: 1
Max number of connections: 7
Current number of users: 0
Current number of tunnels: 0
Current number of connections: 0
FortiMcWiFi #
If the SSLVPN state goes from ' normal' to ' busy' , then the VPN daemon is in conserve mode to prevent the whole system from failing open. Taking care of memory issues will usually allow the process to return to normal.
Regards,
Chris McMullan
Fortinet Ottawa