Troubleshooting Tip: Failed login attempts to FortiGate-6K/7K chassis backplane management IP address

This article describes the reason for System Event logs related to failed login attempt to the backplane management IP address (10.101.10.X) 

date=2024-02-18 time=14:40:56 devname=7K_labFGT devid=FG73ES3E1XXXXXX slot=1 eventtime=1739911256673233782 tz="-0600" logid="0100032002" type="event" subtype="system" level="alert" vd="mgmt-vdom" logdesc="Admin login failed" sn="0" user="admin" ui="https(92.X.Y.Z)" method="https" srcip=92.255.85.45 dstip=10.101.10.1 action="login" status="failed" reason="passwd_invalid" msg="Administrator admin login failed from https(92.255.85.45) because of invalid password"

Accessing the GUI via 'https://<mgmt ip>:<special management port>' will route to that particular FIM/FPM/FPC of the chassis. The flow will be from the client IP to the management_IP: port and eventually NATed to be client IP to the base-mgmt IP 10.101.10.X: port (by default port is 443).

For example, if the source IP a.b.c.d connects to the FortiGate using HTTPS on port 44301, as shown below:

'https://<management IP>:44301', after the connection is made, the following packets can be observed in the sniffer output

[FIM01] 2024-02-18 13:41:44.890219 havdlink1 out a.b.c.d.55931 -> 10.101.10.1.443: syn 2762137813
[FIM01] 2024-02-18 13:41:44.890272 havdlink1 in 10.101.10.1.443 -> a.b.c.d.55931: syn 2582827963 ack 2762137814
[FIM01] 2024-02-18 13:41:45.048003 havdlink1 out a.b.c.d.55931 -> 10.101.10.1.443: ack 2582827964
[FIM01] 2024-02-18 13:41:45.048049 havdlink1 out a.b.c.d.55931 -> 10.101.10.1.443: psh 2762137814 ack 2582827964
[FIM01] 2024-02-18 13:41:45.048054 havdlink1 in 10.101.10.1.443 -> a.b.c.d.55931: ack 2762138044
[FIM01] 2024-02-18 13:41:45.050148 havdlink1 in 10.101.10.1.443 -> a.b.c.d.55931: psh 2582827964 ack 2762138044
[FIM01] 2024-02-18 13:41:45.208347 havdlink1 out a.b.c.d.55931 -> 10.101.10.1.443: psh 2762138044 ack 2582829288