Skip to main content
grizbi
grizbi
New Member
February 9, 2025
Question

SSL_accept failed, 1:unexpected eof while reading

  • February 9, 2025
  • 4 replies
  • 10345 views

Hi,

Quite new on Fortinet config
I'm stuck with this error for a couple of days now on a very simple setup using FortiGate-40F v7.2.8

 

Using FortiClient on ubuntu 22.04 and windows 10 - now far away from the device, I try to set it up using ssh 


diagnose debug application sslvpn -1 shows
SSL_accept failed, 1:unexpected eof while reading

 

/**************    Hereafter  - config vpn ssl settings      *************/
set status enable
set reqclientcert disable
set ssl-max-proto-ver tls1-3
set ssl-min-proto-ver tls1-2
unset banned-cipher
set ciphersuite TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
set ssl-insert-empty-fragment enable
set https-redirect disable
set x-content-type-options enable
set ssl-client-renegotiation disable
set force-two-factor-auth disable
set servercert "Fortinet_Factory"
set algorithm high
set idle-timeout 300
set auth-timeout 28800
set login-attempt-limit 2
set login-block-time 60
set login-timeout 60
set dtls-hello-timeout 30
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set dns-suffix ''
set dns-server1 0.0.0.0
set dns-server2 0.0.0.0
set wins-server1 0.0.0.0
set wins-server2 0.0.0.0
set ipv6-dns-server1 ::
set ipv6-dns-server2 ::
set ipv6-wins-server1 ::
set ipv6-wins-server2 ::
set url-obscuration disable
set http-compression disable
set http-only-cookie enable
set port 10443
set port-precedence enable
set auto-tunnel-static-route enable
set header-x-forwarded-for add
set source-interface "wan"
set source-address "all"
set source-address-negate disable
set source-address6 "all"
set source-address6-negate disable
set default-portal "full-access"
config authentication-rule
edit 1
set groups "SSLVPN_USERS"
set portal "full-access"
set realm ''
set client-cert disable
set cipher high
set auth any
next
end
set browser-language-detection enable
set dtls-tunnel enable
set check-referer disable
set http-request-header-timeout 20
set http-request-body-timeout 30
set auth-session-check-source-ip enable
set tunnel-connect-without-reauth disable
set hsts-include-subdomains disable
set transform-backward-slashes disable
set encode-2f-sequence disable
set encrypt-and-store-password disable
set client-sigalgs all
set dual-stack-mode disable
set tunnel-addr-assigned-method first-available
set saml-redirect-port 8020
set ztna-trusted-client disable
set server-hostname ''
set dtls-max-proto-ver dtls1-2
set dtls-min-proto-ver dtls1-0
end

Please advise if there is any know issue

 

4 replies

AEK
SuperUser
AEK
SuperUser
February 9, 2025

Hi Grizbi

  • Which FCT version are you using?
  • Do you have the same behavior on Windows and on Ubuntu?
  • The management port (HTTPS) of your FGT is other than 10443, right?

BTW you should update your FOS to 7.2.10. It has nothing to do with your issue but with multiple known vulnerabilities.

AEK
    grizbi
    grizbiAuthor
    New Member
    February 9, 2025

    FCT 7.2.8 on Ubuntu & Windows
    same log message yes
    update your FOS to 7.2.10  -> I can't take any risk of losing access to my fortinet firewall gateway  as I'm currently 4000 miles away from it... I only have access to CLI command through ssh (may be a can had routing rules to access 192.168.1.99:443 with ssh tunnel)

    dingjerry_FTNT
    Staff
    dingjerry_FTNT
    Staff
    February 9, 2025

    Hi @grizbi ,

     

    diagnose debug application sslvpn -1 shows
    SSL_accept failed, 1:unexpected eof while reading

     

    This is not enough.  Please provide all the outputs.

      grizbi
      grizbiAuthor
      New Member
      February 9, 2025

      2025-02-09 14:28:51 [221:root:4]allocSSLConn:310 sconn 0x7fa4e55800 (0:root)
      2025-02-09 14:28:51 [221:root:4]SSL state:before SSL initialization (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:before SSL initialization (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]got SNI server name: yy.yy.yy.yy realm (null)
      2025-02-09 14:28:51 [221:root:4]client cert requirement: no
      2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS read client hello (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS write server hello (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS write change cipher spec (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 early data (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 early data:(null)(xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 early data (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]got SNI server name: yy.yy.yy.yy realm (null)
      2025-02-09 14:28:51 [221:root:4]client cert requirement: no
      2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS read client hello (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS write server hello (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 write encrypted extensions (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS write certificate (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 write server certificate verify (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS write finished (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 early data (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 early data:(null)(xx.xx.xx.xx)
      2025-02-09 14:29:06 [221:root:4]SSL state:fatal decode error (xx.xx.xx.xx)
      2025-02-09 14:29:06 [221:root:4]SSL state:error:(null)(xx.xx.xx.xx)
      2025-02-09 14:29:06 [221:root:4]SSL_accept failed, 1:unexpected eof while reading
      2025-02-09 14:29:06 [221:root:4]Destroy sconn 0x7fa4e55800, connSize=0. (root)

      grizbi
      grizbiAuthor
      New Member
      February 9, 2025

      2025-02-09 14:28:51 [221:root:4]allocSSLConn:310 sconn 0x7fa4e55800 (0:root)
      2025-02-09 14:28:51 [221:root:4]SSL state:before SSL initialization (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:before SSL initialization (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]got SNI server name: yy.yy.yy.yy realm (null)
      2025-02-09 14:28:51 [221:root:4]client cert requirement: no
      2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS read client hello (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS write server hello (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS write change cipher spec (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 early data (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 early data:(null)(xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 early data (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]got SNI server name: yy.yy.yy.yy realm (null)
      2025-02-09 14:28:51 [221:root:4]client cert requirement: no
      2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS read client hello (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS write server hello (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 write encrypted extensions (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS write certificate (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 write server certificate verify (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS write finished (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 early data (xx.xx.xx.xx)
      2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 early data:(null)(xx.xx.xx.xx)
      2025-02-09 14:29:06 [221:root:4]SSL state:fatal decode error (xx.xx.xx.xx)
      2025-02-09 14:29:06 [221:root:4]SSL state:error:(null)(xx.xx.xx.xx)
      2025-02-09 14:29:06 [221:root:4]SSL_accept failed, 1:unexpected eof while reading
      2025-02-09 14:29:06 [221:root:4]Destroy sconn 0x7fa4e55800, connSize=0. (root)

      grizbi
      grizbiAuthor
      New Member
      February 11, 2025

      Do you think my problem comes from this? I have two FortiGates: one belongs to my ISP and is connected to the WAN with a public IP, the other is mine and has its WAN connected to the LAN1 port of the first one. 100% of the traffic from the first FortiGate is routed to the second one, but maybe the SNI is not correct, which could be why the certificate verification is failing?

      AEK
      SuperUser
      AEK
      SuperUser
      February 11, 2025

      So if I understand well, the there is another FGT (FGT-A) between your client and the target FGT (FGT-B) to which you try connect with SSL-VPN, right? And you are using a VIP on FGT-A to map the external IP:port to the internal IP:port, right?

      In that case, do you use any SSL inspection profile or security profile in the firewall rule that allows SSL-VPN traffic to pass trough FGT-A?

      AEK
      grizbi
      grizbiAuthor
      New Member
      February 11, 2025

      I have no access to FGT-A as it is fully managed by the ISP (UAE zone)

      grizbi
      grizbiAuthor
      New Member
      February 12, 2025

      I had an issue with the IP range associated with ssl.root 
      now VPN works fine with windows client but still fails when running on Ubuntu 22.04  

      dingjerry_FTNT
      Staff
      dingjerry_FTNT
      Staff
      February 12, 2025

      Hi @grizbi ,

       

      Could you please contact the FGT admin to confirm whether there is "Host Check" or "Restrict to Specific OS Versions" configured in the SSL VPN Portal settings?

      Terms & ConditionsAccessibility statement