| Solution |
If a FortiMobile Token is used, the error manifests after entering a FortiMobile token code at 45%.
The issue with a local user which is also part of the User Group and both are used in the Firewall Policy cause SSL VPN to match the wrong Portal.
diag debug application sslvpn -1
diag debug application ftm-push -1
diag debug enable
[234:root:1be812]rmt_web_access_check:804 access failed, uri=[/remote/logincheck],ret=4103,
[234:root:1be812]encoding method 1
[234:root:1be812]fsv_logincheck_common_handler:1407 user 'testuser' has a matched local entry. <- Issue where the user matches as a local user.
[234:root:1be812]got checking id 1-1138e892
[234:root:0]fsv_logincheck_common_handler:1538 token_type = 1, time_out = 80
[234:root:1be812]fsv_logincheck_common_handler:1611 update state in usr_chg db to 4, reqid 888625530, pid 0.
[234:root:1be812]two factor check for testuser: off
[234:root:1be812]sslvpn_authenticate_user:203 authenticate user: [testuser]
[234:root:1be812]sslvpn_authenticate_user:221 create fam state
[234:root:1be812]user 'testuser' uses 2FA: ctx->peer_two_factor = 0, ctx->peer_name.peername = 0, ctx->is_two_factor = 1
[234:root:0]famStateInit:2244 ctx->token_type = 1, timeout = 60
[234:root:1be812]fam_auth_send_req:894 found node testuser:0:, valid:1
[234:root:1be812][fam_auth_send_req_internal:432] Groups sent to FNBAM:
[234:root:1be812]group_desc[0].grpname = testuser
[234:root:1be812]group_desc[1].grpname = VPN Group <--- User found in the group which is used in SSL VPN settings.
[234:root:1be812][fam_auth_send_req_internal:444] FNBAM opt = 0X201420
[234:root:1be812]fam_auth_send_req_internal:512 fnbam_auth_token return: 4
[234:root:1be812]fam_auth_proc_resp:1368 fnbam_auth_update_result return: 0 (success)
[234:root:1be812]fam_auth_proc_resp:1394 Receive Manually input token result. Push: 0 <-- The token is received successfully.
[234:root:1be812][fam_auth_proc_resp:1508] Authenticated groups (2) by FNBAM with auth_type (1):
[234:root:1be812]Received: auth_rsp_data.grp_list[0] = 16777218
[234:root:1be812]Received: auth_rsp_data.grp_list[1] = 3
[234:root:1be812]fam_auth_proc_resp:1533 found node VPN Group:0:, valid:1, auth:0
[234:root:1be812]Validated: auth_rsp_data.grp_list[1] = VPN Group
[234:root:1be812]Auth successful for user testuser
[234:root:1be812]fam_do_cb:752 fnbamd return auth success.
[234:root:1be812]SSL VPN login matched rule (0). <- User found no rules.
[234:root:1be812]got public IP address: 216.158.17.1
[234:root:1be812]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[234:root:0]get tunnel link address4
[234:root:1be812]rmt_web_session_create:1043 create web session, idx[1]
[234:root:1be812]login_succeeded:623 redirect to hostcheck
[234:root:1be812]Transfer-Encoding n/a
[234:root:1be812]Content-Length 205
[234:root:1be812]rmt_hcinstall_cb_handler:211 enter
[234:root:1be812]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[234:root:1be812]rmt_hcinstall_cb_handler:293 hostchk needed : 0.
[234:root:1be812]deconstruct_session_id:505 decode session id ok, user=[testuser], group=[],authserver=[testuser],portal=[OtherUsers],host[216.158.17.1],realm=[],csrf_token=[E3A8C0893B
5C80359AE366DEF258F63],idx=1,auth=1,sid=f127e30,login=1731335001,access=1731335001,saml_logout_url=no,
pip=216.158.17.1,grp_info=[4GWIOR],rmt_grp_info=[]
user matches on OtherUsers Portal and not getting Full access, due to Firewall Policy not matching
The issue is with a local user that is part of Usergroup but is also used as a local user in the Firewall Policy:
However, SSL VPN settings show that VPN USER is part of the SSL VPN group and not testuser.
Remove testuser from the Firewall Policy and use only User Group (VPN USER), which is used in SSL VPN settings. It should work afterward:
If FortiClient just drops at 70-80% with the error 'Unable to establish the VPN Connection. The VPN Server maybe Unavailable (-14)', follow the following article: Technical Tip: FortiClient SSL VPN gets stuck at 80%.
|
