SSL-VPN access problem after upgrading to 5.4.1

Question

After upgrading my FG-500D from 5.2.7 to 5.4.1 firmware version, SSL VPN service by FortiClient (4.4.2329) works well except for a user (user_abc) that can't access to it. First, the client showed error 'Server unreachable' and the command "diagnose debug application sslvpn -1" gave the following output:

[size="2"][10214:root:2]SSL state:before/accept initialization (xx.yy.zz.vv) [/size]

[size="2"][10214:root:2]SSL_accept returned 0.[/size]

[size="2"][10214:root:2]Destroy sconn 0x7f2d9b563800, connSize=0. (root) [/size]

[size="2"][10215:root:2]allocSSLConn:262 sconn 0x7f2d9b563800 (0:root) [/size]

[size="2"][10215:root:2]SSL state:before/accept initialization (xx.yy.zz.vv) [/size]

[size="2"][10215:root:2]SSL state:SSLv2/v3 read client hello A:(null)(xx.yy.zz.vv) [/size]

[size="2"][10215:root:2]SSL_accept failed, 1:unknown protocol [10215:root:2]Destroy sconn 0x7f2d9b563800, connSize=0. (root) [10216:root:2]allocSSLConn:262 sconn 0x7f2d9b563800 (0:root) [/size]

[size="2"][10214:root:3]allocSSLConn:262 sconn 0x7f2d9b563800 (0:root)[/size]

I solved this first problem reading this technical note: http://kb.fortinet.com/kb/documentLink.do?externalID=FD38732

Now, after this configuration, the same user can't connect again because FortiClient give the error "Permission denied -455" and the output of debug SSLVPN is:

[size="2"][10215:root:57]allocSSLConn:262 sconn 0x7f2d9b563800 (0:root) [/size]

[size="2"][10215:root:57]SSL state:before/accept initialization ()(xx.yy.zz.vv) [/size]

[size="2"][10215:root:57]SSL_accept returned 0.[/size]

[size="2"][10215:root:57]Destroy sconn 0x7f2d9b563800, connSize=1. (root) [/size]

[size="2"][10216:root:52]allocSSLConn:262 sconn 0x7f2d9b563800 (0:root) [/size]

[size="2"][10216:root:52]SSL state:before/accept initialization ()(xx.yy.zz.vv) [/size]

[size="2"][10216:root:52]SSL state:SSLv3 read client hello A ()(xx.yy.zz.vv)[/size]

[size="2"] [10216:root:52]SSL state:SSLv3 write server hello A ()(xx.yy.zz.vv) [/size]

[size="2"][10216:root:52]SSL state:SSLv3 write certificate A ()(xx.yy.zz.vv) [/size]

[size="2"][10216:root:52]SSL state:SSLv3 write server done A ()(xx.yy.zz.vv) [/size]

[size="2"][10216:root:52]SSL state:SSLv3 flush data ()(xx.yy.zz.vv) [/size]

[size="2"][10216:root:52]SSL state:SSLv3 read client certificate A ()(xx.yy.zz.vv)[/size]

[size="2"] [10216:root:52]SSL state:SSLv3 read client key exchange A:system lib()(xx.yy.zz.vv) [/size]

[size="2"][10216:root:52]SSL state:SSLv3 read client key exchange A:system lib()(xx.yy.zz.vv) [/size]

[size="2"][10216:root:52]SSL state:SSLv3 read client key exchange A ()(xx.yy.zz.vv) [/size]

[size="2"][10216:root:52]SSL state:SSLv3 read certificate verify A ()(xx.yy.zz.vv) [/size]

[size="2"][10216:root:52]SSL state:SSLv3 read finished A ()(xx.yy.zz.vv) [/size]

[size="2"][10216:root:52]SSL state:SSLv3 write change cipher spec A ()(xx.yy.zz.vv) [/size]

[size="2"][10216:root:52]SSL state:SSLv3 write finished A ()(xx.yy.zz.vv) [/size]

[size="2"][10216:root:52]SSL state:SSLv3 flush data ()(xx.yy.zz.vv) [/size]

[size="2"][10216:root:52]SSL state:SSL negotiation finished successfully ()(xx.yy.zz.vv) [/size]

[size="2"][10216:root:52]SSL established: TLSv1 DES-CBC3-SHA [/size]

[size="2"][10216:root:52]req: /remote/login [/size]

[size="2"][10216:root:52]rmt_web_auth_info_parser_common:418 no session id in auth info [/size]

[size="2"][10216:root:52]rmt_web_get_access_cache:729 invalid cache, ret=4103 [/size]

[size="2"][10216:root:52]req: /remote/logincheck [/size]

[size="2"][10216:root:52]rmt_web_auth_info_parser_common:418 no session id in auth info [/size]

[size="2"][10216:root:52]rmt_web_access_check:667 access failed, uri=[/remote/logincheck],ret=4103, [/size]

[size="2"][10216:root:52]rmt_logincheck_cb_handler:848 user 'user_abc' has a matched local entry. [/size]

[size="2"][10216:root:52]sslvpn_auth_check_usrgroup:1752 forming user/group list from policy. [/size]

[size="2"][10216:root:52]sslvpn_auth_check_usrgroup:1790 got user (3) group (16:0). [/size]

[size="2"][10216:root:52]sslvpn_validate_user_group_list:1423 validating with SSL VPN authentication rules (23), realm (). [/size]

[size="2"][10216:root:52]sslvpn_validate_user_group_list:1471 checking rule 1 cipher. [/size]

[size="2"][10216:root:52]sslvpn_validate_user_group_list:1471 checking rule 2 cipher.[/size]

[size="2"] [10216:root:52]sslvpn_validate_user_group_list:1471 checking rule 3 cipher.[/size]

[size="2"] [10216:root:52]sslvpn_validate_user_group_list:1471 checking rule 4 cipher. [/size]

[size="2"][10216:root:52]sslvpn_validate_user_group_list:1471 checking rule 5 cipher. [/size]

[size="2"][10216:root:52]sslvpn_validate_user_group_list:1471 checking rule 6 cipher. [/size]

[size="2"][10216:root:52]sslvpn_validate_user_group_list:1471 checking rule 7 cipher. [/size]

[size="2"][10216:root:52]sslvpn_validate_user_group_list:1471 checking rule 8 cipher. [/size]

[size="2"][10216:root:52]sslvpn_validate_user_group_list:1471 checking rule 9 cipher. [/size]

[size="2"][10216:root:52]sslvpn_validate_user_group_list:1471 checking rule 10 cipher. [/size]

[size="2"][10216:root:52]sslvpn_validate_user_group_list:1471 checking rule 11 cipher. [/size]

[size="2"][10216:root:52]sslvpn_validate_user_group_list:1471 checking rule 12 cipher. [/size]

[size="2"][10216:root:52]sslvpn_validate_user_group_list:1471 checking rule 13 cipher.[/size]

[size="2"] [10216:root:52]sslvpn_validate_user_group_list:1471 checking rule 14 cipher. [/size]

[size="2"][10216:root:52]sslvpn_validate_user_group_list:1471 checking rule 15 cipher. [/size]

[size="2"][10216:root:52]sslvpn_validate_user_group_list:1471 checking rule 16 cipher.[/size]

[size="2"] [10216:root:52]sslvpn_validate_user_group_list:1471 checking rule 17 cipher. [/size]

[size="2"][10216:root:52]sslvpn_validate_user_group_list:1471 checking rule 18 cipher. [/size]

[size="2"][10216:root:52]sslvpn_validate_user_group_list:1471 checking rule 19 cipher. [/size]

[size="2"][10216:root:52]sslvpn_validate_user_group_list:1471 checking rule 20 cipher.[/size]

[size="2"] [10216:root:52]sslvpn_validate_user_group_list:1471 checking rule 21 cipher. [/size]

[size="2"][10216:root:52]sslvpn_validate_user_group_list:1471 checking rule 22 cipher. [/size]

[size="2"][10216:root:52]sslvpn_validate_user_group_list:1471 checking rule 23 cipher. [/size]

[size="2"][10216:root:52]sslvpn_validate_user_group_list:1688 got user (0), group (1:0). [/size]

[size="2"][10216:root:52]two factor check for user_abc: off [/size]

[size="2"][10216:root:52]sslvpn_authenticate_user:168 authenticate user: [user_abc] [/size]

[size="2"][10216:root:52]sslvpn_authenticate_user:175 create fam state [/size]

[size="2"][10216:root:52]fam_auth_send_req:528 with server blacklist: [/size]

[size="2"][10216:root:52]fam_auth_send_req:625 clear local user flag and do authentication again. [/size]

[size="2"][10216:root:52]fam_auth_send_req:528 with server blacklist: [/size]

[size="2"][10216:root:52]fam_auth_send_req:634 task finished with 5 [/size]

[size="2"][10216:root:52]login_failed:253 user[user_abc],auth_type=0 failed [sslvpn_login_unknown_user] [[/size]

10216:root:0]dump_one_blocklist:82 status=1;host=xx.yy.zz.vv;fails=1;logintime=1474294505

[size="2"] [10216:root:52]rmt_web_auth_info_parser_common:418 no session id in auth info [/size]

[size="2"][10216:root:52]rmt_web_get_access_cache:729 invalid cache, ret=4103 [/size]

[size="2"][10216:root:52]Timeout for connection 0x7f2d9b563800.[/size]

You have to consider that the access to SSL VPN for 'user_abc' via HTTPS Web Portal works well!

How can I solve this problem?

Thanks!

Toshi_Esumi · Answer

Try upgrading the client software to more recent one. It looks very old (4.4...). Now 5.4.x... should be available.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded