FORTIGATE - SSLVPN Troubleshoot: Difference between revisions

Use the following diagnose commands to identify SSL VPN issues. These commands enable debugging of SSL VPN with a debug level of -1 for detailed results.

diagnose debug application sslvpn -1
diagnose debug enable

The CLI displays debug output similar to the following:

 
[282:root]SSL state:before/accept initialization (172.20.120.12)
[282:root]SSL state:SSLv3 read client hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write server hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write change cipher spec A (172.20.120.12)
[282:root]SSL state:SSLv3 write finished B (172.20.120.12)
[282:root]SSL state:SSLv3 flush data (172.20.120.12)
[282:root]SSL state:SSLv3 read finished A:system lib(172.20.120.12)
[282:root]SSL state:SSLv3 read finished A (172.20.120.12)
[282:root]SSL state:SSL negotiation finished successfully (172.20.120.12)
[282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1

To disable the debug :

diagnose debug disable
diagnose debug reset

Use the following diagnose commands to identify remote user authentication issues :

diagnose debug application fnbamd -1
diagnose debug enable

Use the following diagnose commands to identify SAML user authentication issues :

diagnose debug application samld -1
diagnose debug enable

• https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-Troubleshooting/ta-p/189542

• https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/502390/debug-commands