Technical Tip: SSL-VPN login fail with tunnel type=ssl-web when using FortiClient

This article describes why the log message shows that the SSL-VPN login failed with tunnel type=ssl-web when the user logs in from FortiClient.

Sometimes, it is possible to notice that whenever a FortiClient user fails to login, the log is showing that the user is trying to log in to ssl-web instead of ssl-tunnel.

date=2021-03-26 time=18:27:41 eventtime=1616754461306886988 tz="+0800" logid="0101039426" type="event" subtype="vpn" level="alert" vd="root" logdesc="SSL VPN login fail" action="ssl-login-fail" tunneltype="ssl-web" tunnelid=0 remip=192.168.244.156 user="test" group="N/A" dst_host="N/A" reason="sslvpn_login_permission_denied" msg="SSL user failed to logged in"

• This is because when the tunnel mode/FortiClient is initiated, the traffic first hits the URL over HTTPS, therefore, until the login is successful the firewall tracks it as ssl-web mode.
• Upon successful tunnel establishment, a separate log being generated will be visible and the tunnel type will be ssl-tunnel:

date=2021-03-26 time=18:36:08 eventtime=1616754969229860842 tz="+0800" logid="0101039947" type="event" subtype="vpn" level="information" vd="root" logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-tunnel" tunnelid=856124655 remip=192.168.244.156 tunnelip=10.212.134.200 user="test" group="split-tunnel" dst_host="N/A" reason="tunnel established" msg="SSL tunnel established"

Example:

1. The logs under Log & Report ->Events -> VPN Events will show that the attack is happening through SSL-web. 

2. The SSL VPN portal already has web mode disabled under VPN -> SSL-VPN Portals.

3. It is showing 'ssl-web' in the log.
4. To understand this, the user will generate the same log from FortiClient only which means tunnel mode. Try to log in to FortiClient through the public IP and the same port under the SSL VPN setting.
5. Let's take the login username as 'rakesh' and any random password. so, when trying to use SSL VPN public Ip and port with username: 'rakesh' and random password on FortiClient, it will generate the same logs as below.

6. This proves that these logs are generated from tunnel mode not through web mode.

Note:
Starting from FortiOS v7.6.3, the SSL VPN tunnel mode will no longer be supported, and SSL VPN web mode will be called 'Agentless VPN'.

Related articles:

Technical Tip: Getting alert logs frequently on FortiGate for 'SSL failed users' from the unknown public IP addresses and from different countries

Troubleshooting Tip: Possible reasons for FortiClient SSL VPN connectivity failure at specific percentages