Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
js2
Staff
Staff

Created on ‎03-31-2021 07:37 AM Edited on ‎11-28-2024 07:31 AM By Moderator

Article Id 193817

Technical Tip: FortiClient SSLVPN gets struck at 80%

Description

 

This article describes a scenario where SSLVPN MAC based host check was configured.

Even though the MAC address was allowed in the rule the VPN gets struck at 80%.

Solution


Error obtained:

 

Unable to establish the VPN Connection. The VPN Server maybe Unavailable (-14)

 

Debug observed:

 

[229:root:38a]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[229:root:38a]req: /remote/logincheck
[229:root:38a]rmt_web_auth_info_parser_common:470 no session id in auth info
[229:root:38a]rmt_web_access_check:723 access failed, uri=[/remote/logincheck],ret=4103,
[229:root:38a]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[229:root:38a]rmt_logincheck_cb_handler:1189 user 'test' has a matched local entry.
[229:root:38a]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy.
[229:root:38a]sslvpn_authenticate_user:191 authenticate user: [test]
[229:root:38a]sslvpn_authenticate_user:198 create fam state
local auth is done with user 'test', ret=0
[229:root:38a]fam_auth_send_req_internal:461 fnbam_auth return: 0
[229:root:38a]fam_auth_send_req_internal:470 authentication OK
[229:root:38a]fam_do_cb:654 fnbamd return auth success.
[229:root:38a]SSL VPN login matched rule (1).
[229:root:38a]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[229:root:38a]rmt_web_session_create:781 create web session, idx[3]
[229:root:38a]login_succeeded:523 redirect to hostcheck      <- Redirection to host check happens and the session gets disconnected.
[229:root:38a]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[229:root:38a]deconstruct_session_id:426 decode session id ok, user=[test],group=[Developers],authserver=[],portal=[full-access],host=[117.194.164.191],realm=[],idx=3,auth=1,sid=192c3652,login=1617175942,access=1617175942,saml_logout_url=no
[230:root:389]sslvpn_read_request_common,648, ret=-1 error=-1, sconn=0x33a6d280.
[230:root:389]Destroy sconn 0x33a6d280, connSize=2. (root)

 

Solution:

Downgrading to FortiClient version 6.0 made it possible to connect to the VPN successfully.
The root cause was the FortiClient license issue.

SSL VPN MAC Host Check Configuration does not work as expected in the following types of FortiClient:

  1. Free version of FortiClient 6.2 (Windows ,mac, Linux) does not support any type of host check.
    Use a lower version as a workaround.

  2. Mobile FortiClients (all versions of Android & Ios)

 

If FortiClient drops at 70-80% without any errors, follow the steps in this article.

 

Related article:

Technical Tip: SSL VPN MAC host check does not work

8795
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.