Description
Scope
SSL VPN with FortiClient.
Solution
This error can occur due to the following reasons:
*Note
For example, if TLS 1.1 and TLS 1.2 are enabled on the FortiGate, enable them in Internet Explorer as well.
get system performance status
CPU states: 0% user 12% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU0 states: 14% user 86% system 0% nice 0% idle 0% iowait 0% irq 0% softirq
CPU1 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
For more information, see Technical Tip: Debugs for troubleshooting high CPU issues.
To view the state of the system processes and CPU cores used by the SSL VPN Daemon, run the following:
diagnose sys top | grep sslvpnd
sslvpnd 354 R 99.8 0.3 0
The SSL service within the system process has a CPU utilization of approximately 99% and is handled by Core 0. This causes the SSL Daemon to malfunction, resulting in FortiClient getting stuck at 40%, and unable to establish the VPN connection.
To view all running system processes, run the following command:
diagnose sys top
Run Time: 13 days, 15 hours and 19 minutes
6U, 0N, 6S, 88I, 0WA, 0HI, 0SI, 0ST; 7979T, 2656F
sslvpnd 354 R 99.8 0.3 0
httpsd 18032 S 0.5 0.3 6
ipsengine 459 S < 0.1 1.4 6
node 251 S 0.1 0.9 5
forticron 259 S 0.1 0.3 6
flcfgd 311 S 0.1 0.2 7
ipshelper 269 S < 0.0 3.3 4
ipsengine 453 S < 0.0 1.5 0
ipsengine 457 S < 0.0 1.5 4
ipsengine 454 S < 0.0 1.4 1
ipsengine 455 S < 0.0 1.4 2
ipsengine 456 S < 0.0 1.4 3
ipsengine 458 S < 0.0 1.4 5
cmdbsvr 215 S 0.0 0.8 5
appDemo 177 S < 0.0 0.8 4
If the SSL Daemon is malfunctioning, the debug command may not be able to display logs.
diag debug reset
diag debug application sslvpn -1
diag debug enable
To resolve this issue, restart the SSL running processes or re-enable the status of the SSL VPN interface and settings.
To kill or restart all of the sslvpnd processes, run the following command:
fnsysctl killall sslvpnd
To re-enable the SSL status:
config system interface
edit "ssl.root"
set vdom "root"
set status down/up
set type tunnel
set alias "SSL VPN interface"
set snmp-index 16
next
end
config vpn ssl settings
set status disable/enable
next
end
Once the SSL Daemon has restarted and returned to normal function, users will be able to successfully establish VPN connections.
diagnose sys top | grep sslvpnd
sslvpnd 18258 S 0.4 0.2 2
If this article does not resolve issues with establishing an SSL VPN connection and the progress bar still halts prematurely, see Troubleshooting Tip: Possible reasons for FortiClient SSL VPN connectivity failure at specific perce....
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.