This article describes how randomly failing SSL VPN authentication with FortiToken push can be fixed.

This information is useful for users who might have multiple public IP addresses (load balancing, multiple connections), stays behind ISPs that frequently change public IPs, connect through proxies, or the connection is session-based load balanced (mobile networks).

Therefore, when initiating an SSL VPN tunnel, the connections made by the client to the firewall for the same SSL VPN session might come from different IP addresses.

Because of that, the firewall cannot associate the push (which is coming from a different IP address) to an existing auth attempt waiting for the Token (which also came from a different IP address).

This will result in a failed auth attempt.
Manual input of the Token should still work.

With the default, set auth-session-check-source-ip enabled, the auth fails if the Token arrives from a different IP address than the initial session:

2021-12-04 12:45:20 [177:root:fd]SSL state:SSL negotiation finished successfully (10.255.255.2)

2021-12-04 12:45:21 [1937] handle_req-Rcvd auth req 333513963 for fortinet in opt=00200421 prot=11
2021-12-04 12:46:02 [177:root:fe]SSL state:SSL negotiation finished successfully (10.10.10.2) <----- Push from different IP address.
2021-12-04 12:46:02 [177:root:fe]1495 magic checked failed.
2021-12-04 12:46:02 [177:root:0]sslvpn_find_err_msg_array:337 Can't find the value for key: 400
2021-12-04 12:46:02 [177:root:fe]rmt_error_cb_handler:123 Cannot get corresponding message for key 400. Use the default error message.

With 'set auth-session-check-source-ip disable', the auth goes thru even if the token comes in from a different IP address:

2021-12-04 12:50:31 [177:root:105]SSL state:SSL negotiation finished successfully (10.255.255.2)
2021-12-04 12:50:31 [1937] handle_req-Rcvd auth req 333513965 for fortinet in opt=00200421 prot=11
2021-12-04 12:50:44 [177:root:106]SSL state:SSL negotiation finished successfully (10.10.10.2) <----- Push from different IP address.
2021-12-04 12:50:44 2021-12-04 12:50:44 [2344] handle_req-Rcvd chal rsp for req 333513965
2021-12-04 12:50:44 [177:root:106]fam_auth_proc_resp:1264 fnbam_auth_update_result return: 0

Before v6.2.0, the behavior was to drop an auth attempt with multiple IP addresses, and it cannot be changed.

Failing auth attempts are expected.

1. Upgrade to v6.2.0 at least if 'auth-session-check-source-ip disable' is required:

config vpn ssl settings
    set auth-session-check-source-ip [ enable | disable ]

2. Increase the Timers of specific 2FA

config system global

remoteauthtimeout : 5 Minimum value: 1 Maximum value: 300
two-factor-email-expiry: 60 Minimum value: 30 Maximum value: 300
two-factor-fac-expiry: 60 Minimum value: 10 Maximum value: 3600
two-factor-ftk-expiry: 60 Minimum value: 60 Maximum value: 600
two-factor-ftm-expiry: 72 Minimum value: 1 Maximum value: 168
two-factor-sms-expiry: 60 Minimum value: 30 Maximum value: 300

Note:

• Disabling this setting reduces security because it allows session tokens to be used from different IP addresses, which can increase the risk of session hijacking or misuse if an attacker obtains a valid session token.

Related document:

vpn ssl settings