Troubleshooting Tip: Fix 'Permission denied' error received by SSL VPN users while logging into FortiGate in web mode

Description

This article describes how to fix an issue where an SSL VPN user receives a 'Permission denied' error while trying to log in to FortiGate.

Scope

FortiGate v6 and later with an SSL VPN.

Solution

When logging in, a user may receive the following error:

This occurs if the user has not been correctly added to the permission policy.

The following debug logs are seen when the user has not been added to the policy:

The debug applied is the following:

diagnose debug reset
diagnose debug console time enable
diagnose debug application fnbamd -1
diagnose debug enable

2022-12-05 08:40:26 [15453:root:82]sslvpn_authenticate_user:191 authenticate user: [dhrumit]

2022-12-05 08:40:26 [15453:root:82]sslvpn_authenticate_user:205 create fam state

2022-12-05 08:40:26 [15453:root:82]fam_auth_send_req:947 clear local user flag and do authentication again.

2022-12-05 08:40:26 [15453:root:82][fam_auth_send_req_internal:426] Groups sent to FNBAM:

2022-12-05 08:40:26 [15453:root:82][fam_auth_send_req_internal:438] FNBAM opt = 0X200401

2022-12-05 08:40:26 invalid auth params for user 'dhrumit'

2022-12-05 08:40:26 [15453:root:82]fam_auth_send_req_internal:514 fnbam_auth return: 5

2022-12-05 08:40:26 [15453:root:82]fam_auth_send_req:1007 task finished with 5

2022-12-05 08:40:26 [15453:root:82]login_failed:393 user[dhrumit],auth_type=1 failed [sslvpn_login_unknown_user]

2022-12-05 08:40:26 [15453:root:0]dump_one_blocklist:94 status=1;host=172.25.181.92;fails=1;logintime=1670247625

2022-12-05 08:40:26 [15453:root:82]req: /remote/login?&err=sslvpn_login_permissi

2022-12-05 08:40:26 [15453:root:82]rmt_web_auth_info_parser_common:504 no session id in auth info

The following debug logs are seen when the user has been added to the policy:

2022-12-05 08:43:41 [15453:root:96]deconstruct_session_id:716 decode session id ok, user=[dhrumit], group=[],authserver=[],portal=[full-access],host[172.25.181.92],rea

lm=[],csrf_token=[C7C6AFB79EE75B3FC3DA2B6EC447D9],idx=0,auth=1,sid=48b8ffbb,login=1670247821,access=1670247821,saml_logout_url=no,pip=no,grp_info=[yaeKsH],rmt_grp_info

=[]

2022-12-05 08:43:41 [15453:root:96]def: 0x30e22b0 /api/v2/static/fweb_build.json

2022-12-05 08:43:41 [15453:root:96]deconstruct_session_id:716 decode session id ok, user=[dhrumit], group=[],authserver=[],portal=[full-access],host[172.25.181.92],rea

lm=[],csrf_token=[C7C6AFB79EE75B3FC3DA2B6EC447D9],idx=0,auth=1,sid=48b8ffbb,login=1670247821,access=1670247821,saml_logout_url=no,pip=no,grp_info=[yaeKsH],rmt_grp_info

=[]

2022-12-05 08:43:41 [15453:root:93]req: /remote/portal?access=admin

2022-12-05 08:43:41 [15453:root:93]deconstruct_session_id:716 decode session id ok, user=[dhrumit], group=[],authserver=[],portal=[full-access],host[172.25.181.92],rea

lm=[],csrf_token=[C7C6AFB79EE75B3FC3DA2B6EC447D9],idx=0,auth=1,sid=48b8ffbb,login=1670247821,access=1670247821,saml_logout_url=no,pip=no,grp_info=[yaeKsH],rmt_grp_info

=[]

To solve this issue, allow the user in the SSL VPN policy:

The login will succeed afterwards: