Description | This article describes how to resolve the SSL VPN connection error when the credentials and the SSL VPN setup are correct when FortiGate is in FIPS mode. |
Scope | FortiGate. |
Solution |
The SSL VPN may not function as intended in some situations. Additionally, the debug logs would not provide an error indicating that the ssl.root interface is down when the FortiGate is in FIPS mode.
To know more, SSL VPN and FNBAMD debugs can be taken:
If the following error is found on the debugs:
[652:root:198]rmt_web_auth_info_parser_common:492 no session id in auth info [652:root:198]rmt_web_get_access_cache:841 invalid cache, ret=4103 [652:root:198]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}]) [652:root:198]get_cust_page:128 saml_info 0 [652:root:198]req: /remote/logincheck [652:root:198]rmt_web_auth_info_parser_common:492 no session id in auth info [652:root:198]rmt_web_access_check:760 access failed, uri=[/remote/logincheck],ret=4103, [652:root:198]sslConnGotoNextState:309 error (last state: 1, closeOp: 0) [652:root:198]Destroy sconn 0x7f6cc6557a00, connSize=0. (root)
In the sniffer, it can be seen that the SYN packets are coming in but no syn-acks are going back:
diagnose sniffer packet any ' port 4443' 4 0 l 2024-11-27 12:25:51.496920 port3 in 192.168.10.2.61280 -> 10.9.11.17.4443: syn 1746941216 2024-11-27 12:25:51.497041 port3 in 192.168.10.2.61281 -> 10.9.11.17.4443: syn 1344227776 2024-11-27 12:25:51.746579 port3 in 192.168.10.2.61282 -> 10.9.11.17.4443: syn 3427715850
Similarly, on the flow debugs, it can be seen that syn packets are coming in and then getting dropped:
2024-11-27 12:27:03 id=65308 trace_id=1 func=print_pkt_detail line=5862 msg="vd-root:0 received a packet(proto=6, 192.168.10.2:6
If the above debug and sniffer outputs match, verify if the ssl.root interface is up or not as this would indicate that it is down. After, set the ssl.root interface up again using the following CLI commands:
config system interface edit ssl.root set status up <- Set the status to enable. end
Once done then now the users can connect to SSL VPN. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.