Skip to Content

How to troubleshoot when endpoints are not able to connect with FortiSASE VPN SSO

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes key troubleshooting steps to help resolve connectivity issues between endpoints and FortiSASE VPN SSO, ensuring reliable access and enhanced security.

Scope

FortiSASE.

Solution

Below are the steps to troubleshoot a FortiSASE VPN issue:

Step 1: Verify the FortiSASE VPN SSO is configured properly from the FortiSASE Portal:

Step 2: Using FortiGate Support Tool to Obtain Configuration Files.

Install the ‘FortiGate Support Tool’ and it is publicly available on the Google Chrome Web Store.
Once that it is installed then create a new capture log in to FortiSASE and stop the capture after some time.

Select New Capture and post that it will start capturing.

Select New Capture and post that it will start capturing.

Once the capture is completed then again open the FortiGate Support Tool extension in another tab select View Existing Capture and select the file.

Once the capture is completed then again open the FortiGate Support Tool extension in another tab select View Existing Capture and select the file.

The config can be downloaded and checked for any issue with the configuration.

The config can be downloaded and checked for any issue with the configuration.

Step 3: Use SAML Tracer to view SAML logs.

Install the SAML tracer in the Chrome browser and try to log in to the VPN via the web mode.
Go to Configuration > VPN User SSO copy the Portal (Sign On) URL and paste it into Chrome.

While login the VPN via the web mode SSO, run the SAML-tracer and it will give the below output:

While login the VPN via the web mode SSO, run the SAML-tracer and it will give the below output.

Now, select those lines where it shows as SAML.
Then, the SAML messages can be viewed and any issues with the SAML can be verified.

Then, the SAML messages can be viewed and any issues with the SAML can be verified.

Step 4: Collect sslvpnd Debug Output.

While trying to connect the VPN open the FortiGate Support Tool mentioned in Step 2 and before starting the capture select Daemon Logging and add sslvpnd daemon.

Once the capture is started then initiate the VPN connection.

Once the capture is started then initiate the VPN connection.

After that, the sslvpnd debug output can also be viewed to help verify the issue.

After that, the sslvpnd debug output can also be viewed to help verify the issue.

Step 5: Using Wireshark to Analyze TCP Stream.

Install Wireshark in the endpoint and open it while trying to connect to the VPN.
Filter out with the IP address of the SASE VPN remote GW and check the TCP stream which can help to check if there is any issue with the TCP connection.

To find the IP address of the SASE VPN Remote GW.
Open the FCT, go to Remote Access > Remote Gateway, and copy the URL.
Perform the nslookup for that URL in the endpoint which will resolve the URL to a specific IP address and it is possible to use that IP address to filter the packet flow in the Wireshark.

Step 6: View the VPN Event logs.

Go to Analytics > Logs > Events > VPN Events.

VPN activity events can be verified from here.