Configuring SSLVPN with FortiGate and FortiClient is pretty easy. Nevertheless problems may occur while establishing or using the SSLVPN connection.
If the negotiation of SSLVPN stops at a specific percentage:
- 10% – there is an issue with the network connection to the FortiGate. Verify that the client is connected to the internet and can reach the FortiGate. Double-check that the FortiClient configuration has set the correct IP and port of the Fortigate.
- 40% – there is an issue with the certificates or the TLS negotiation. If you are using the default FortiGate certificate, the client is probably not trusting this certificate. In this case the user is shown a popup window to confirm the validity of the certificate. Make sure that this popup window is not hidden behind other windows. If the client is using CRL or OCSP make sure that the FortiGate certificate can be checked against those protocols.
Additionally, it is possible that the TLS versions of Client and FortiGate are not matching. This KB article describes how to check the TLS versions for SSLVPN on the FortiGate. And this KB article explains how to check the TLS versions on a windows client.
- 80% – at this stage the username and password is verified. Please check user/usergroup/portal and firewall policy configuration on the FortiGate. If you are using a remote server you can troubleshoot this communication with the following KB articles: Radius and LDAP. Another reason for a failure at 80% is that you are not using the correct Realm. Please doublecheck that you are addressing the correct Realm.
- 98% – hopefully you are not getting stuck at this point… this problem is most likely caused by a corrupted FortiClient installation and/or OS problems. This can probably be solved by reinstalling the FortiClient software on the computer.
General debugging of the SSLVPN negotiation
The CLI real-time debugger allows monitoring of the SSLVPN negotiation:
# diagnose debug enable
# diagnose debug application sslvpn -1
(now try to establish the SSLVPN connection)
(once the negotiation is done or stopped you can disable the debugger)
# diagnose debug application sslvpn 0
# diagnose debug disable
If the SSLVPN connection is established, but the connection stops after some time, you should double-check the following two timeout values on the FortiGate configuration:
# config vpn ssl settings
# set idle-timeout 300
# set auth-timout 28000
idle-timeout is closing the SSLVPN if the connection is idle for more than 5 minutes (300 seconds). This configuration can be changed in the WebUI (SSL VPN settings) as well.
auth-timeout is closing the SSLVPN connection based on the the authentication timeout. By default this is set to 8 hours (28800 seconds). So if therefore a SSLVPN connection is stopping after straight 8 hours, even though you are using the tunnel continuously, it’s very likely that you are hitting the authentication timeout.
Additional comments on the FortiClient v6.2
If you are using the free «FortiClient v6.2 VPN(-only)» you have a limited feature set (please refer to FortiClient VPN 6.2) – for example you are not able to perform host-checks. Please make sure that you don’t have any (maybe legacy) host-checks configured in the SSLVPN portal on your FortiGate:
# config vpn ssl web portal
# show full | grep -f host-check
Update on IPv6 problems with FOS 6.2 and 6.4
As you can already read in the comments of this article, you can get in problems when the client is using an IPv6 connection or dual stack IPv4/IPv6. In this case you have to disable IPv6 on your client itself or in the SSLVPN settings of your FortiClient (Fortinet KB article).
- KB-Article with good additional SSLVPN troubleshooting information
- Another KB-Article with great SSLVPN troubleshooting information
- Comprehensive documentation on VPN configuration
28,227 total views, 46 views today