Common SSLVPN issues

Common issues

To troubleshoot getting no response from the SSL VPN URL:

  1. Go to VPN > SSL-VPN Settings.
    1. Check the SSL VPN port
    2. Check the Restrict Access settings to ensure the host you are connecting from is allowed.
  2. Go to Policy > IPv4 Policy or Policy > IPv6 policy.
    1. Check that the policy for SSL VPN traffic is configured correctly.
    2. Check the URL you are attempting to connect to. It should follow this pattern:

https://<FortiGate IP>:<Port>

  1. Check that you are using the correct port number in the URL. Ensure FortiGate is reachable from the computer.

ping <FortiGate IP>

  1. Check the browser has TLS 1.1, TLS 1.2, and TLS 1.3

To troubleshoot FortiGate connection issues:

  1. Check the Release Notes to ensure that the FortiClient version is compatible with your version of FortiOS.
  2. FortiClient uses IE security setting, In IE Internet Option > Advanced > Security, check that Use TLS 1.1 and Use TLS 1.2 are enabled.
  3. Check that SSL VPN ip-pools has free IPs to sign out. The default ip-pools SSLVPN_TUNNEL_ADDR1 has 10 IP addresses.
  4. Export and check FortiClient debug logs.
  5. Go to File > Settings.
  6. In the Logging section, enable Export logs.
  7. Set the Log Level to Debug and select Clearlogs.
  8. Try to connect to the VPN.
  9. When you get a connection error, select Export logs.

To troubleshoot SSL VPN hanging or disconnecting at 98%:

  1. A new SSL VPN driver was added to FortiClient 5.6.0 and later to resolve SSL VPN connection issues. If your FortiOS version is compatible, upgrade to use one of these versions.
  2. Latency or poor network connectivity can cause the default login timeout limit to be reached on the FortiGate. In

FortiOS 5.6.0 and later, use the following commands to allow a user to increase timers related to SSL VPN login.

config vpn ssl settings

set login-timeout 180 (default is 30) set dtls-hello-timeout 60 (default is 10)

end

To troubleshoot tunnel mode connections shutting down after a few seconds:

This might occur if there are multiple interfaces connected to the Internet, for example, SD-WAN. This can cause the session to become “dirty”. To allow multiple interfaces to connect, use the following CLI commands.

If you are using a FortiOS 6.0.1 or later:

config system interface

edit <name>

set preserve-session-route enable

next

end

If you are using a FortiOS 6.0.0 or earlier:

config vpn ssl settings set route-source-interface enable

end

To troubleshoot users being assigned to the wrong IP range:

  1. Go to VPN > SSL-VPN Portals and VPN > SSL-VPN Settings and ensure the same IP Pool is used in both places.

Using the same IP Pool prevents conflicts. If there is a conflict, the portal settings are used.

To troubleshoot slow SSL VPN throughput:

Many factors can contribute to slow throughput.

This recommendation is try improving throughput by using the FortiOS Datagram Transport Layer Security (DTLS) tunnel option, available in FortiOS 5.4 and above.

DTLS allows the SSL VPN to encrypt the traffic using TLS and uses UDP as the transport layer instead of TCP. This avoids retransmission problems that can occur with TCP-in-TCP.

FortiClient 5.4.0 to 5.4.3 uses DTLS by default. FortiClient 5.4.4 and later uses normal TLS, regardless of the DTLS setting on the FortiGate.

To use DTLS with FortiClient:

  1. Go to File > Settings and enable Preferred DTLS Tunnel.

To enable DTLS tunnel on FortiGate, use the following CLI commands:

config vpn ssl settings

set dtls-tunnel enable end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos