|
When the user is trying to connect to the VPN, check the following two places:
- VPN logs.
- SSL VPN debugs.
VPN logs:
- After attempting to connect, check the VPN logs (Log & Report -> System Events -> VPN Events). Search for a log description with the reason 'tunnel down' and if it states there was a connection timeout.
SSL VPN debugging:
- Run SSL VPN debugging as shown below:
diagnose debug application sslvpn -1
diagnose debug application fnbamd
diagnose debug enable
- Towards the end of the of debug output, looks for the following line:
sslvpn_dtls_timeout_check:312 waiting for client hello timeout
The MacOS and iPhone (free) versions of FortiClient have no option to enable DTLS. All newer versions of FortiGate have it enabled for better performance. This causes FortiGate to wait for the FortiClient to make the DTLS connection (which is not enabled), leading to a failure that brings down the whole tunnel.
Make sure to disable the DTLS option on FortiGate, test out the connection, and also monitor the SSL VPN performance.
To disable DTLS on SSL VPN, run the following commands:
config vpn ssl setting
set dtls-tunnel disable
end
This has been enabled by default since 5.4.
If assistance is needed, contact Fortinet support.
Related article:
Technical Tip: Using DTLS to improve SSL VPN performance.
|
