Description | This article describes how to fix an issue where, even with the right credentials, users are unable to connect to the VPN their system either shows an endless connecting error or states the VPN connection is down. |
Scope | FortiGate, FortiClient |
Solution |
When the user is trying to connect to the VPN, check the following two places:
VPN logs:
SSL VPN debugging:
diagnose debug application sslvpn -1 diagnose debug application fnbamd diagnose debug enable
sslvpn_dtls_timeout_check:312 waiting for client hello timeout
The MacOS and iPhone (free) versions of FortiClient have no option to enable DTLS. All newer versions of FortiGate have it enabled for better performance. This causes FortiGate to wait for the FortiClient to make the DTLS connection (which is not enabled), leading to a failure that brings down the whole tunnel.
Make sure to disable the DTLS option on FortiGate, test out the connection, and also monitor the SSL VPN performance. To disable DTLS on SSL VPN, run the following commands:
config vpn ssl setting
This has been enabled by default since 5.4.
If assistance is needed, contact Fortinet support.
Related article: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.