SSL VPN troubleshooting
This topic provides a tips for SSL VPN troubleshooting.
Diagnose commands
SSL VPN debug command
Use the following diagnose commands to identify SSL VPN issues. These commands enable debugging of SSL VPN with a debug level of -1. The -1 debug level produces detailed results.
diagnose debug application sslvpn -1 diagnose debug enable
The CLI displays debug output similar to the following:
FGT60C3G10002814 # [282:root]SSL state:before/accept initialization (172.20.120.12)
[282:root]SSL state:SSLv3 read client hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write server hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write change cipher spec A (172.20.120.12)
[282:root]SSL state:SSLv3 write finished B (172.20.120.12)
[282:root]SSL state:SSLv3 flush data (172.20.120.12)
[282:root]SSL state:SSLv3 read finished A:system lib(172.20.120.12)
[282:root]SSL state:SSLv3 read finished A (172.20.120.12)
[282:root]SSL state:SSL negotiation finished successfully (172.20.120.12)
[282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
To disable the debug:
diagnose debug disable diagnose debug reset
Remote user authentication debug command
Use the following diagnose commands to identify remote user authentication issues.
diagnose debug application fnbamd -1 diagnose debug reset