Explorer III

Solved

Problem VPN SSL WEB after upgrade to 7.0.8

Forum|Forum|3 years ago
November 4, 2022
10 replies
18537 views

Hi,
after updating a Fortigate 60E from version 7.0.7 to version 7.0.8 the RDP via SSL WEB VPN no longer works with any PC, the error "Connection closed!" always appears. If I perform a NAT of the port 3389 from the WAN to the LAN I enter the PC correctly.
I have changed all the possible parameters but I cannot log in, whether I enter my credentials in the bookmark or enter them by hand.
I have already tried to follow this KB but nothing, error: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Unable-to-take-RDP-of-machines-via-SSL-VPN-web/ta- p / 192454

Has anyone had the same problem?

FortiGate

Best answer by FortiMax_it

@jbro @jnielsen @@useribs problem resolved by Fortinet.

To resolve insert this string in the VPN: "set load-balancing-info NULL"

I hope it is set by default in new firmware.

Anthony_E

Staff

Hello Max,

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Regards,

Best Regards

Anthony_E

Staff

Hello Max,

We are still looking for an answer to your question.

We will come back to you as soon as we get one.

Regards,

Best Regards

Anthony_E

Staff

Hello Max,

I have found this document:

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/4c952186-4436-11ed-9d74-fa163e15d75b/fortios-v7.0.8-release-notes.pdf

Inside you could find some interesting information.

Could you please tell me if it helps?

Regards,

Best Regards

useribs

New Member

could you solve it?

FortiMax_itAuthor

Explorer III

Hi folks, the problem is not solved yet. I opened ticket on fortinet but after two weeks still nothing. We have done hundreds of tests, modified the fortigate configuration and also of the RDP machines but, for almost all RDP servers, the error "Connection closed!" is received, even trying the latest firmware.
The only solution was to downgrade to firmware 7.0.7.: all problems disappeared, RDP worked again. Fortinet is investigating.

useribs

New Member

Hi

we have a similar problem , after updating a Fortigate 2201E from version 7.0.7 to version 7.0.9 the RDP via SSL WEB VPN no longer works with any PC, the error "Connection closed"

The problem is that we can't downgrade, the firmware 7.0.7 have a security issues

thanks very much

jnielsen

Staff

I am not sure if it would help, but could you try the following setting:

config vpn ssl setting
set encrypt-and-store-password enable

end

FortiMax_itAuthor

Explorer III

Hi, I don't know if we can try the command you gave us. Tomorrow we will go back to the customer because he had two Fortigate 60E in HA, we split them and we downgraded the one in use. Theoretically tomorrow we will reconnect the Fortigate with the latest firmware that had been excluded and put it back in HA with 7.0.7
If the customer allows us (he has been unserved with WEB SSL VPNs for weeks) let's try to put the updated Fortigate to work with the "set encrypt-and-store-password enable" command.

jbro

New Member

We're having basically the same exact issue except 6.4.10/11.

Everything works perfectly fine under 6.4.9, but upgrading to either .10 or .11 will break the SSL VPN Web connection to our Terminal Services gateway server.

Login to the base URL, provide OTP token, choose bookmark (or manual quicklaunch), authenticate and then instantaneous "Connection Closed" error message. Downgrading to 6.4.9 fixes the issue, but you can't downgrade anymore due to the security concerns. We opened up a ticket with both Fortinet and MSFT and MSFT after spending many hours with us said it's definitely a Fortinet related issue. Fortinet seems to be aware of the issue and will be fixed .12 but there's no ETA.

What's weird is that other RDP sessions to non-Terminal Server Gateways in that subnet works fine. Didn't see anything in the debug on the Fortinet and we're about to start doing packet sniffing on the RDP gateway's subnet.

If anyone comes up with a solution, please post it here because right now our remote users are dead in the water.

Phoenix_Woody

New Member

jbro - did you ever find a solution? We upgraded to 7.0.12 and are having the same issue.

FortiMax_itAuthorAnswer

Explorer III

@jbro @jnielsen @@useribs problem resolved by Fortinet.

To resolve insert this string in the VPN: "set load-balancing-info NULL"

I hope it is set by default in new firmware.

jbro

New Member

FortiMax -

Thank you so much for your reply.

Unfortunately, no joy for us using that fix. Appreciate the reply though as we are out of ideas here. Packet sniffing our RDP gateway server and we don't see any traffic trying to traverse from the Fortinet so it does seem like it's just instaclosing the connection on that end. Packet sniffs of other servers in that same subnet show normal traffic traversing and doing a config compare between firmware upgrades shows nothing of note changed.

Will continue to update if we figure this out. Thanks for all your help.

jbro

New Member

So - an update - believe it or not this did actually help us ... but in a weird workaround kind of way.

First, the load-balancing-info change did make a difference. However, it doesn't resolve the issue, but for whatever reason, if you pass blank or incorrect credentials on the /sslvpn/frdsviewer.html page you can get to the credentials page of our RDP Gateway server which will allow users to at least work for now.

Such a strange, strange problem.