| Description | This article describes that a '403 Forbidden' error is seen on a web browser when a user attempts to access SSLVPN using a configured realm. This is after confirming that web mode is already enabled globally. |
| Scope | FortiGate. |
| Solution |
To check whether web mode is enabled or disabled globally, refer to this KB article. Technical Tip: SSL VPN web mode showing '403 Forbidden' error
Configured SSL VPN Realm:
The user attempts to connect using a browser, and the error below is seen.: 'Forbidden You are not allowed to access /TestREalm on this server. Additionally, a 400 Bad Request error was encountered.'
SSL VPN Debug Error: [6169:root:c368]allocSSLConn:310 sconn 0x7fa81be2e000 (0:root) [6169:root:c368]SSL state:before SSL initialization (10.38.8.20) [6169:root:c368]SSL state:before SSL initialization (10.38.8.20) [6169:root:c368]got SNI server name: test1.domain.com realm (null) [6169:root:c368]client cert requirement: yes [6169:root:c368]SSL state:SSLv3/TLS read client hello (10.38.8.20) [6169:root:c368]SSL state:SSLv3/TLS write server hello (10.38.8.20) [6169:root:c368]SSL state:SSLv3/TLS write change cipher spec (10.38.8.20) [6169:root:c368]SSL state:TLSv1.3 early data (10.38.8.20) [6169:root:c368]SSL state:TLSv1.3 early data:(null)(10.38.8.20) [6169:root:c368]SSL state:TLSv1.3 early data (10.38.8.20) … [6169:root:c368]req: /TestREalm [6169:root:c368]Transfer-Encoding n/a [6169:root:c368]Content-Length n/a [6169:root:c368]def: (nil) /TestREalm … [6180:root:c300]Timeout for connection 0x7fa81be2c000. [6180:root:c300]Destroy sconn 0x7fa81be2c000, connSize=4. (root) [6180:root:c300]SSL state:warning close notify (10.38.8.20)
The SSL VPN Realm is case-sensitive. In this case, it can be observed that the SSL VPN realm used has incorrect case, thus forbidding access to the configured resources.
After using the correct case for the SSL VPN realm, the login page will appear.
|
