Skip to main content
Maerre
Maerre
Explorer III
April 7, 2025
Solved

Migrating from Anyconnect to Forticlient - Impossible to connect error 455

  • April 7, 2025
  • 2 replies
  • 2702 views

Hi,

We are migrating from AnyConnect to FortiClient and encountering many problems. Currently, a RADIUS server (NPS) is being used, which passes Cisco RADIUS attributes such as IP address, subnet mask, and a dynamic ACL (DAC) for each user.
For each user created in Active Directory, a static IP is assigned, the RADIUS profile to use is specified, and the corresponding ACL policies are created on the ASA.

On the Fortigate side, I have configured the RADIUS servers and set up the entire SSL portal. Since the IP is passed statically, I found a guide that suggested setting "set ip-mode user-group" under the portal.
I also created the corresponding ACL that allows from SSL VPN to any, but as soon as the MFA notification arrives with Duo, I get permission denied (error -455) and the process stops at 43%.

Does anyone have any suggestions?
I've tried everything but can't solve it.
Below is the configuration.

 

config vpn ssl web portal
edit "RADIUS1_PORTAL"   <---- my 1st portal
set tunnel-mode enable
set ip-mode user-group
set ip-pools "Pool_Vpn"
next
edit "RADIUS2_PORTAL" <---- my 2nd portal
set tunnel-mode enable
set ip-mode user-group
set ip-pools "Pool_Vpn"
next
end

config vpn ssl settings
set banned-cipher SHA1 SHA256 SHA384
set tunnel-ip-pools "Pool_Vpn"
set dns-server1 8.8.8.8
set source-interface "outise_vpn"
set source-address "all"
set default-portal "tunnel-access"
config authentication-rule
edit 1
set groups "radius1"  <-------1st radius i'm using
set portal "RADIUS1_PORTAL"
next
edit 3
set groups "radius2" <-------2nd radius i'm using
set portal "RADIUS2_PORTAL"
next
end
end


config vpn ssl web portal

edit "RADIUS1_PORTAL"
set tunnel-mode enable
set ip-mode user-group <------------------to use framed-ip from radius attributes (radius is passing the ip statically)
set ip-pools "Pool_Vpn"
next
edit "RADIUS2_PORTAL"
set tunnel-mode enable
set ip-mode user-group <------------------to use framed-ip from radius attributes (radius is passing the ip statically)
set ip-pools "Pool_Vpn"
next
end

 

POLICY CONFIGURATION

config firewall policy
edit 1
set name "Vpn to inside"
set uuid 6bc672ce-0fd1-5
set srcintf "ssl.Vpn"
set dstintf "any"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set groups "radius1" "radius2"
next
end

Best answer by Maerre

Hi @maulishshah ,

i founded i was hitting the radius blast bug, and solved it with the following:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Workaround-for-Blast-RADIUS-mitigation-behavior-in/ta-p/367541

 

Thank you for the tips

2 replies

Dhruvin_patel
Staff
Dhruvin_patel
Staff
April 7, 2025

Greetings!

 

It could be the reason that the VPN authentication might fail before the end user completes the DUO MFA push to their mobile or token device. This can result in a 'permission denied' error in FortiClient, followed by a DUO push notification that no longer functions.

ref: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-permission-denied-error-while-using/ta-p/338512

 

Regards!

Maerre
MaerreAuthor
Explorer III
April 7, 2025

Hello @Dhruvin_patel , @maulishshah ,

i'm using radius not ldap, i've followed your tips and incremented the timer from 5 to 10 ("set remoteauthtimeout 10"), bu the login is still failing, once i receive the DUO push notification and accept, it is correctly authorized on the smartphone app, but i'm given the 455 error.
Following the debug:

 

FIREWALL (VPNSLLCONTEXT) # [1757] handle_req-Rcvd auth req 60486181335043 for John Bebal in opt=00201420 prot=9 svc=5
[333] __compose_group_list_from_req-Group 'John Bebal', type 5
[333] __compose_group_list_from_req-Group 'radius1', type 1
[333] __compose_group_list_from_req-Group 'radius2', type 1
[508] create_auth_session-Session created for req id 60486181335043
[357] auth_local-started for John Bebal
[429] auth_local-No conclusion, FNBAM_UNKNOWN
[590] fnbamd_cfg_get_tac_plus_list-
[441] __fnbamd_cfg_get_tac_plus_list_by_user-
[389] __fnbamd_cfg_add_tac_plus_by_user-
[389] __fnbamd_cfg_add_tac_plus_by_user-
[389] __fnbamd_cfg_add_tac_plus_by_user-
[389] __fnbamd_cfg_add_tac_plus_by_user-
[606] fnbamd_cfg_get_tac_plus_list-Total tac+ servers to try: 0
[840] fnbamd_cfg_get_ldap_list-
[629] __fnbamd_cfg_get_ldap_list_by_user-
[563] __fnbamd_cfg_add_ldap_by_user-
[563] __fnbamd_cfg_add_ldap_by_user-
[563] __fnbamd_cfg_add_ldap_by_user-
[563] __fnbamd_cfg_add_ldap_by_user-
[856] fnbamd_cfg_get_ldap_list-Total LDAP servers to try: 0
[416] ldap_start-Didn't find ldap servers
[316] radius_start-eap_local=0
[896] fnbamd_cfg_get_radius_list-
[692] __fnbamd_cfg_get_radius_list_by_user-
[639] __fnbamd_cfg_add_radius_by_user-
[376] verify_local_user_match_and_update-Found a matching user in CMDB 'John Bebal'
[456] fnbamd_rad_get-vfid=5, name='radius1'
[645] __fnbamd_cfg_add_radius_by_user-Loaded RADIUS server 'radius1' for user 'John Bebal' (16777218)
[639] __fnbamd_cfg_add_radius_by_user-
[639] __fnbamd_cfg_add_radius_by_user-
[639] __fnbamd_cfg_add_radius_by_user-
[918] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
[936] fnbamd_rad_get_auth_server-
[1172] fnbamd_rad_auth_ctx_init-User ha_relay? 0.
[295] fnbamd_radius_get_next_auth_prot-Next auth prot MS-CHAPv2
[1107] __auth_ctx_svr_push-Added addr 192.168.1.111:1812 from rad 'radius1'
[930] __fnbamd_rad_get_next_addr-Next available address of rad 'radius1': 192.168.1.111:1812.
[1125] __auth_ctx_start-Connection starts radius1:192.168.1.111, addr 192.168.1.111:1812 proto: UDP
[280] __rad_udp_open-Opened radius socket 12, sa_family 2
[945] __rad_conn_start-Socket 12 is created for rad 'radius1'.
[807] __rad_add_job_timer-
[439] fnbamd_cfg_get_pop3_list-
[417] __fnbamd_cfg_get_pop3_list_by_group-
[422] __fnbamd_cfg_get_pop3_list_by_group-Group 'radius1'
[422] __fnbamd_cfg_get_pop3_list_by_group-Group 'radius2'
[449] fnbamd_cfg_get_pop3_list-Total pop3 servers to try: 0
[434] start_remote_auth-Total 1 server(s) to try
[1900] handle_req-r=4
[828] __rad_rxtx-fd 12, state 1(Auth)
[830] __rad_rxtx-Stop rad conn timer.
[837] __rad_rxtx-
[605] fnbamd_rad_make_access_request-
[328] __create_access_request-Compose RADIUS request
[588] __create_access_request-Created RADIUS Access-Request. Len: 218.
[1171] fnbamd_socket_update_interface-vfid is 5, intf mode is 0, intf name is , server address is 192.168.1.111:1812, source address is null, protocol number is 17, oif id is 0
[353] __rad_udp_send-oif=0, intf_sel.mode=0, intf_sel.name=
[868] __rad_rxtx-Sent radius req to server 'radius1': fd=12, IP=192.168.1.111(192.168.1.111:1812) code=1 id=44 len=218
[877] __rad_rxtx-Start rad conn timer.
[828] __rad_rxtx-fd 12, state 1(Auth)
[830] __rad_rxtx-Stop rad conn timer.
[880] __rad_rxtx-
[431] __rad_udp_recv-Recved 317 bytes. Buf sz 8192
[1125] __rad_chk_resp_authenticator-The Message Authenticator validation is mandatory now
[1158] __rad_chk_resp_authenticator-No Message Authenticator
[1212] fnbamd_rad_validate_pkt-Invalid digest
[905] __rad_rxtx-Error validating radius rsp
[1028] __rad_error-Ret 5, st = 1.
[295] fnbamd_radius_get_next_auth_prot-Next auth prot MS-CHAPv2
[1077] __rad_error-
[306] __rad_udp_close-closed.
[964] __rad_conn_stop-Stop rad conn timer.
[1286] fnbamd_rad_process-Result from radius svr 'radius1' is 5, req 60486181335043
[1485] fnbamd_rad_process-Challenged: 0, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 1, State_Len: 0
[2802] fnbamd_rad_result-Error (5) for req 60486181335043
[239] fnbamd_comm_send_result-Sending result 5 (nid 0) for req 60486181335043, len=6688
[600] destroy_auth_session-delete session 60486181335043
[1347] fnbamd_rads_destroy-
[516] fnbamd_rad_auth_ctx_free-Freeing 'radius1' ctx
[1219] fnbamd_rad_auth_ctx_uninit-
[969] __rad_stop-
[964] __rad_conn_stop-Stop rad conn timer.
[784] __rad_del_job_timer-
[364] fnbamd_rad_free-Freeing radius1, ref:2
[41] __rad_server_free-Freeing 192.168.1.111, ref:2
[519] fnbamd_rad_auth_ctx_free-
[1350] fnbamd_rads_destroy-
[1865] fnbamd_ldaps_destroy-
[1041] fnbamd_tacs_destroy-
[902] fnbamd_pop3s_destroy-
[1070] fnbamd_ext_idps_destroy-

 

 

maulishshah
Staff
maulishshah
Staff
April 7, 2025

@Maerre, Can you please increase the remote auth timeout by following this document: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explaining-global-set-remoteauthtimeout-user/ta-p/229136

By default, remote auth timeout is set to 5 seconds, and it is possibly the reason MFA might not received within a time frame. 

 

 

    Terms & ConditionsAccessibility statement