You can use the diagnose commands below to identify SSL VPN problems.
diagnose debug application sslvpn -1
diagnose debug application sslvpn -1
This command will enable the debug level of SSL VPN with debug level -1. Debug level -1 gives detailed results.
Verify the debug configuration
diagnose debug info
diagnose debug info
debug output: disable
console timestamp: disable
console no user log message: disable
sslvpn debug level: -1 (0xffffffff)
CLI debug level: 3
This output verifies that SSL VPN debugging is enabled at debug level -1 and shows which filters are in place. The above output shows that debug output is disabled, so debug messages are not displayed. The output also indicates that debugging is not enabled for any software system.
Use the following command to enable the display of Debug Messages.
diagnose debug enable
diagnose debug enable
To view the debug messages, login to the SSL VPN portal and the CLI displays debug output similar to the one below.
FGT90E3G10002814 # [282:root]SSL state:before/accept initialization (172.20.130.12)
[282:root]SSL state:SSLv3 read client hello A (172.20.130.12)
[282:root]SSL state:SSLv3 write server hello A (172.20.130.12)
[282:root]SSL state:SSLv3 write change cipher spec A (172.20.130.12)
[282:root]SSL state:SSLv3 write finished B (172.20.130.12)
[282:root]SSL state:SSLv3 flush data (172.20.130.12)
[282:root]SSL state:SSLv3 read finished A:system lib(172.20.130.12)
[282:root]SSL state:SSLv3 read finished A (172.20.130.12)
[282:root]SSL state:SSL negotiation finished successfully (172.20.130.12)
[282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
Use the following command to stop the Debug Messages from displaying.
diagnose debug disable
diagnose debug disable
diagnose debug reset
The following examples are a list of potential problems. Therefore, it may not reflect your network topology.
FortiClient connection problem
Read the Release Notes to make sure the version of FortiClient you are using is compatible with your version of FortiOS.
Read the Release Notes to make sure the version of FortiClient you are using is compatible with your version of FortiOS.
You can export FortiClient debug logs as follows.
1. Under File>Settings>Logging, Export Logs is enabled.
1. Under File>Settings>Logging, Export Logs is enabled.
2. Log Level is set to Debug and Clear Logs is selected.
3. Try to make a VPN connection.
4. Select Export Logs after getting the connection error.
SSL VPN login hangs or disconnects at 98%
A new SSL VPN driver has been added to FortiClient 5.6.0 and later to resolve various SSL VPN connection issues. If your FortiOS version is compatible, update to use one of these versions.
Additionally, latency or poor network connectivity can cause the default login timeout limit to be reached on Fortigate. FortiOS 5.6.0 and later, The following commands allow a user to increase the timers for SSL VPN login.
config vpn ssl settings
set login-timeout 180 (default is 30)
set dtls-hello-timeout 60 (default is 10)
end
SSL VPN Throughput slowness
A must-try recommendation for this issue is the FortiOS Datagram Transport Layer Security (DTLS) tunnel option available in FortiOS 5.4 and above.
DTLS enables SSL VPN to encrypt traffic using TLS and uses UDP at the transport layer instead of TCP. This avoids retransmission issues that can occur with TCP-to-TCP.
Use the commands below to ensure DTLS tunneling is enabled on the FortiGate
config vpn ssl settings
set dtls-tunnel enable
end
FortiClient 5.4.0 - 5.4.3 uses DTLS by default. FortiClient 5.4.4 and later use regular TLS regardless of the DTLS setting in FortiGate.
To use DTLS with FortiClient
File>Settings and enable Preferred DTLS Tunneling.
File>Settings and enable Preferred DTLS Tunneling.
Yorumlar
Yorum Gönder