FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cchiriches
Staff
Staff
Description

This article describes how randomly failing SSLVPN authentication with Fortitoken push can be fixed.


Some users might have multiple public IP addresses (load balancing, multiple connections), or the connection is session based load balanced (mobile networks).


Therefore, when initiating a SSL-VPN tunnel, the connections made by the client to the firewall for the same SSL-VPN session might come from different IP addresses.


Because of that, the firewall cannot associate the push (which is coming from a different IP address) to an existing auth attempt waiting for the Token (which also came from a different IP address).


This will result in a failed auth attempt.
Manual input of the Token should still work.

Scope  
Solution

With the default, set auth-session-check-source-ip enable, the auth fails if the Token arrives from a different IP address than the initial session:

 

2021-12-04 12:45:20 [177:root:fd]SSL state:SSL negotiation finished successfully (10.255.255.2)


2021-12-04 12:45:21 [1937] handle_req-Rcvd auth req 333513963 for fortinet in opt=00200421 prot=11
2021-12-04 12:46:02 [177:root:fe]SSL state:SSL negotiation finished successfully (10.10.10.2) <----- Push from different IP address.
2021-12-04 12:46:02 [177:root:fe]1495 magic checked failed.
2021-12-04 12:46:02 [177:root:0]sslvpn_find_err_msg_array:337 Can't find the value for key: 400
2021-12-04 12:46:02 [177:root:fe]rmt_error_cb_handler:123 Cannot get corresponding message for key 400. Use the default error message.

 

With 'set auth-session-check-source-ip disable', the auth goes thru even if the token comes in from a different IP address:

 

2021-12-04 12:50:31 [177:root:105]SSL state:SSL negotiation finished successfully (10.255.255.2)
2021-12-04 12:50:31 [1937] handle_req-Rcvd auth req 333513965 for fortinet in opt=00200421 prot=11
2021-12-04 12:50:44 [177:root:106]SSL state:SSL negotiation finished successfully (10.10.10.2) <----- Push from different IP address.
2021-12-04 12:50:44 2021-12-04 12:50:44 [2344] handle_req-Rcvd chal rsp for req 333513965
2021-12-04 12:50:44 [177:root:106]fam_auth_proc_resp:1264 fnbam_auth_update_result return: 0

 

Before 6.2.0, the behaviour is to drop an auth attempt with multiple IP addresses, and it cannot be changed. Failing auth attempts are expected.


Upgrade to 6.2.0 at least if 'auth-session-check-source-ip disable' is required.

 

# config vpn ssl settings
    set auth-session-check-source-ip enable | disable

 

Related document.

https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/281620/vpn-ssl-settings

Contributors