Skip to Content

Solved: What is the meaning of SSL-VPN event log alert ‘close notify’?

This article describes that, In the VPN event logs, the below example of log can be received:

date=aaaa-bb-cc time=14:57:03 id=7043999867294711827 itime="aaaa-bb-cc 14:57:03" euid=2 epid=2 dsteuid=2 dstepid=2 logver=604071911 logid=0101039944 type="event" subtype="vpn" level="information" action="ssl-alert" msg="SSL alerts" logdesc="SSL VPN alert" user="N/A" remip=x.x.x.x group="N/A" tunnelid=0 tunneltype="ssl" dst_host="N/A" reason="warning" desc="close notify" eventtime=1640059023563861162 tz="+1100" devid="FGTSERIALNO" vd="root" csf="FABRIC-NAME" dtime="aaaa-bb-cc 14:57:03" itime_t=1640059023 devname="FGT-NAME"

Note that some details of the above log have been altered for privacy reasons.

Solution

This is an alert for closing the SSL-VPN connection, right before the FIN packet.

When either the client or the server is ready to end the connection, both issue the SSL_shutdown() function to indicate that the SSL connection is ending normally.

This causes an SSL record whose type is alert to flow.

For this, the type of alert is close notify, which means the SSL session is ending.

To stop receiving this log message, it can be excluded using the log id and the below steps from FortiGate CLI:

# config log disk filter
set filter-type exclude
set filter [logid]
end
Tags

Tags

    Ads Blocker Image Powered by Code Help Pro

    Ads Blocker Detected!!!

    This site depends on revenue from ad impressions to survive. If you find this site valuable, please consider disabling your ad blocker.