FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vrajendran
Staff
Staff
Article Id 191396

Description


This article describes a list of potential issues.

The suggestions below are not exhaustive and do not reflect the network topology.

 

Scope

 

FortiGate.

Solution


There is no response from the SSL VPN URL.

Go to VPN -> SSL-VPN Settings and check the SSL VPN port assignment.
Also check the 'Restrict Access' settings to ensure the host you are connecting from is allowed.

Go to Policy -> IPv6 policy and make sure that the policy for SSL VPN traffic is configured correctly.

Check the URL to connect to. It follows this pattern:

 

https://<FortiGate IP>:<Port>/remote/login

 

Ensure that  the correct port number in the URL is used.


Use a computer on the local network to connect to the VPN, rather than a remote connection.

If an external authentication is used, create a local user and connect to the VPN using this local account.

FortiClient cannot connect.

Read the release notes to ensure that the version of FortiClient used is compatible with your version of FortiOS.

Export FortiClient debug logs by doing the following:

Go to File -> Settings. Under the logging section, enable 'Export logs'

Set the 'Log Level' to debug and select 'Clear logs'.

Attempt to connect to the VPN.

Select Export logs after receiving the connection error.

The SSL VPN login hangs or disconnects at 98%.

A new SSL VPN driver was added to FortiClient 5.6.0 and later to resolve various SSL VPN connection issues.
If the FortiOS version is compatible, upgrade to use one of these versions.

In addition, latency or poor network connectivity can cause the default login timeout limit to be reached on the FortiGate.
In FortiOS 5.6.0 and later, the following commands allow a user to increase timers related to SSL VPN login.

 

config vpn ssl settings
    set login-timeout 180 (default is 30)
    set dtls-hello-timeout 60 (default is 10)
end

 

Tunnel-mode connection shuts down after a few seconds.

This issue can occur when there are multiple interfaces connected to the Internet (for example, SD-WAN).
This can cause the session to become 'dirty'.
To fix this, allow multiple interfaces to connect without issue.

If FortiOS 6.0.1 or later is used, follow this CLI command:

 

config system interface
    edit <name>
        set preserve-session-route enable
    next
end

 

If FortiOS 6.0.0 or earlier is used, follow this CLI command:

 

config vpn ssl settings
    set route-source-interface enable
end

 

The following error message will be received: 'Unable to logon to the server. Your user name or password may not be configured properly for this connection. (-12)'.

Make sure that the browser has cookies enabled.

If a remote authentication server is used, confirm that the FortiGate is able to communicate with it.

The tunnel connects but there is no communication.

Make sure there is a interface by going to Monitor -> Routing Monitor.
Also, check the routing table on you computer to ensure the routes for the VPN are added (use the command route print on Windows, or netstat -nr on MacOS).

Connect remotely to the VPN tunnel but it will not give access to the network resources.

Verify that the firewall policy for SSL VPN traffic is configured correctly by going to Policy & Objects -> IPv4 Policy and making sure the source/destination addresses, user group, and destination interfaces are correct.
Use the command '# diagnose debug flow' to get more information about network traffic.
To learn more about this command, see How to use debug flow to filter traffic.

Users are unable to download the SSL VPN plugin.

Go to VPN -> SSL-VPN Portals to make sure that the option to limit users to One SSL-VPN Connection at a time is disabled.
This allows users to connect to the resources on the portal page while also connecting to the VPN through FortiClient.

Users are being assigned to the wrong IP range.

Go to VPN -> SSL-VPN Portals and VPN -> SSL-VPN Settings and make sure that the same IP Pool is used in VPN Portal and VPN Settings to avoid conflicts.
If there is a conflict, the portal settings are used.

SSL VPN throughput is slow.


Although many factors can contribute to slow throughput, one recommendation is to try is the FortiOS Datagram Transport Layer Security (DTLS) tunnel option, available in FortiOS 5.4 and above.

DTLS allows the SSL VPN to encrypt the traffic using TLS and uses UDP at the transport layer instead of TCP.
This avoids retransmission problems that can occur with TCP-in-TCP.

To make sure that the DTLS tunnel is enabled on the FortiGate, use the following command.

 

config vpn ssl settings
    set dtls-tunnel enable
end

 

FortiClient 5.4.0 to 5.4.3 uses DTLS by default.

FortiClient 5.4.4 and later uses normal TLS, regardless of the DTLS setting on the FortiGate.

To use DTLS with FortiClient, go to File -> Settings and enable 'Preferred DTLS Tunnel'.