Skip to Content

SSL VPN event logs when successfully connected

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article discusses SSL VPN logs upon successful connection from FortiClient.

Scope

FortiClient, FortiGate.

Solution

Step 1: When the initial connection is made from FortiClient to FortiGate SSL VPN, the log will be listed as Action ‘ssl-new-con’.

date=2024-07-24 time=17:19:52 id=7395315174070026249 itime="2024-07-24 17:19:52" euid=2 epid=2 dsteuid=2 dstepid=2 logver=704042662 logid=0101039943 type="event" subtype="vpn" level="information" action="ssl-new-con" msg="SSL new connection" logdesc="SSL VPN new connection" user="N/A" remip=X.X.X.X group="N/A" tunnelid=0 tunneltype="ssl" dst_host="N/A" reason="N/A" eventtime=1721855992674651844 tz="-0400" devid="YYYY" vd="root" dtime="2024-07-24 17:19:52" itime_t=1721855992 devname="LAB"

It is possible to filter the same under Log & Report > System Events > VPN Events > Filter: Action == ssl-new-con

Step 2: When a user logs into FortiClient, two separate logs with the action ‘tunnel-up’ are created on a successful connection. The first log will not have the FortiClient UID, tunnel IP, and tunnel type will be listed as ‘ssl-web’.

date=2024-07-24 time=17:19:52 id=7395315174070026250 itime="2024-07-24 17:19:52" euid=1027 epid=104 dsteuid=3 dstepid=3 logver=704042662 logid=0101039424 type="event" subtype="vpn" level="information" action="tunnel-up" msg="SSL tunnel established" logdesc="SSL VPN tunnel up" user="test" remip= X.X.X.X group="AD_users" tunnelid=680321789 tunneltype="ssl-web" dst_host="N/A" reason="login successfully" eventtime=1721855992764858823 tz="-0400" devid="YYYY" vd="root" dtime="2024-07-24 17:19:52" itime_t=1721855992 devname="LAB"

The second log will give the FortiClient UID and tunnel IP information and the tunnel type will be ‘ssl-tunnel’.

date=2024-07-24 time=17:19:53 id=7395315178364993552 itime="2024-07-24 17:19:53" euid=1027 epid=104 dsteuid=3 dstepid=3 logver=704042662 logid=0101039947 type="event" subtype="vpn" level="information" action="tunnel-up" msg="SSL tunnel established" logdesc="SSL VPN tunnel up" user="test" remip= X.X.X.X group="AD_users" tunnelip=10.212.134.200 tunnelid=680321789 tunneltype="ssl-tunnel" dst_host="N/A" reason="tunnel established" fctuid="51C62E634698447BA92F9D20E3D9B5DB" eventtime=1721855993235690102 tz="-0400" devid="YYYY" vd="root" dtime="2024-07-24 17:19:53" itime_t=1721855993 devname="LAB"

It is possible to filter the same under Log & Report > System Events > VPN Events > Filter: Action == tunnel-up

Step 3: Why It generates two logs is described in below article (Point 2): Technical Tip: SSL-VPN login fail with tunnel type=ssl-web when using FortiClient

It is also possible to enable automation stitches for successful SSL VPN logins:

Technical Tip: How to receive an alert email when SSL VPN user login successfully