|
Run the SSL VPN debug:
diag debug disable
diag debug reset
diag debug application sslvpn -1
diag debug application fnbamd -1
diag debug enable
Debug when the user tries to connect to wan1:
2390:root:8a]req: /api/v2/static/fweb_build.json
[2390:root:8a]mza: 0x3247150 /api/v2/static/fweb_build.json
[2390:root:8a]deconstruct_session_id:716 decode session id ok, user=[Test], group=[Test],authserver=[],portal=[full-access],host[172.25.181.131],realm=[],csrf_token=[2D87EB45220361E77CECE417F4C8A6],idx=0,auth=1,sid=56a2b83a,login=1711630502,access=1711630502,saml_logout_url=no,pip=no,grp_info=[S3Qf2U],rmt_grp_info=[]
Debug when the user tries to connect to wan2:
[2390:root:70]sslvpn_update_user_group_list:1807 got user (0:0), group (0:0), peer group (0) after update. [2390:root:70]no valid user or group candidate found.
[2390:root:70]login_failed:403 user[Test],auth_type=32768 failed [sslvpn_login_unknown_user]
[2390:root:0]dump_one_blocklist:94 status=1;host=172.25.181.131;fails=1;logintime=1711630120
[2390:root:70]req: /remote/login?&err=sslvpn_login_permissi
[2390:root:70]rmt_web_auth_info_parser_common:504 no session id in auth info
[2390:root:70]rmt_web_get_access_cache:853 invalid cache, ret=4103
[2390:root:70]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Solution.
Check the authentication rule in CLI.
config authentication-rule
edit 1
set source-interface "port1" -> Unset the source interface, authentication is allowed when the user tries to connect only on wan1 if a specific interface in the authentication rule is selected.
set source-address "all"
set groups "Test"
set portal "full-access"
next
end
|
