Troubleshooting Tip: SSL VPN 'permission denied' error while using DUO as Two-Factor Authentication (2FA)
| Description | This article describes how to resolve SSL VPN authentication errors that occur before completing the DUO 2FA push. |
| Scope | FortiClient, DUO. |
| Solution | When using DUO with FortiClient, the VPN authentication might fail before the end user completes the DUO MFA push to their mobile or token device. This can result in a 'permission denied' error in FortiClient, followed by a DUO push notification that no longer functions.
It is possible to confirm specifically what is occurring by running an FNBAMD debug. Here are the commands to do that: diagnose debug reset diagnose debug application fnbamd -1 diagnose debug enable To stop the debug:
diagnose debug disable diagnose debug reset
Try to connect. The following is the expected output if the connection to the LDAP server is timing out: 2024-08-26 14:38:22 [594] __ldap_conn_timeout-Connction with LDAP:192.168.x.x timed out.
This issue occurs because the 'ldapconntimeout' timer in the FortiGate is set too low, causing the authentication to expire before the DUO process finishes. To resolve this, increase the 'ldapconntimeout' timer (the default is 500 milliseconds) using the CLI command below:
config sys global
The value for 'ldapconntimeout' can be assigned between <1> to <300000>. After increasing the timer, it is advised to run several SSL VPN connection tests and fine-tune the timer value to best meet the needs of the VPN users.
Related article: |