Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
zzarrouk
Staff
Staff

Created on ‎11-18-2019 03:01 AM Edited on ‎08-06-2025 07:41 AM By Moderator

Article Id 193644

Technical Tip: SSL VPN issue when using LDAPS

Description


This article describes how to overcome the LDAPS TLS issue that may occur while using SSLVPN, especially after upgrading FortiGate.

 

Scope

 

FortiGate.

Solution

 

To test the LDAP object to see if it's working properly, use the following CLI command:
 
diagnose test authserver ldap <LDAP server_name> <username> <password>
 
<LDAP server_name> = the name of the LDAP object on FortiGate (not the actual LDAP server name).
 
Any username and password combination from the AD can be used, but it is recommended (at least at the first stage) to test credentials used in the LDAP object itself.
If these credentials fail, then any other will fail as well as the FortiGate will not be able to bind to the LDAP server.
 
CLI example:
 
diagnose test authserver ldap LDAP_SERVER user1 password
 
Advanced troubleshooting:
 
To get more information about the reason for authentication failure, run the following commands from the CLI:
 
diagnose debug enable
diagnose debug application fnbamd 255
 
To stop this debug type:

 

diagnose debug reset

diagnose debug disable

 
Then, run an LDAP authentication test:
 
diag test authserver ldap AD_LDAP user1 password
 
Based on the Fnbamd output, ssl negotiation errors should appear.
This means that the LDAPS TLS negotiation is not working properly.
 
This can be checked with a sniffer to see which TLS version is presented by the LDAP server using the following command:
 
diag sniffer packet any ‘host <LDAP server> and port 636>' 6 0 a
 
For example, if the LDAP server is presenting TLS 1.0 (Windows 2008) and the FortiGate is using version 6.2.x, the TLS negotiation will not work.
The following command under the LDAP config will fix this issue:
 
config user ldap
    edit <LDAP entry>
        set ssl-min-proto-version TLSv1  <----- This version depends on the TLS version used by the LDAP server.
    next
end

 

From FortiOS V7.2.0, the LDAP server configured on FortiGate can authenticate itself with a client certificate to the LDAP server.

 

config user ldap
     edit <ldap_server>
        set client-cert-auth enable

        set client-cert <FGT_CERT_NAME>
     next

end

 

Refer to the following document for information:

Configuring client certificate authentication on the LDAP server - FortiGate 7.2.0.

 

If LDAP authentication is working fine locally from the FGT, but the user is still getting issues connecting to the firewall using SSL VPN. Share the output of the below debug command with TAC by reproducing the issue:

 

diagnose debug disable

diagnose debug reset

dia debug console timestamp enable

diagnose vpn ssl debug-filter src-addr4 < user PC public IP >

diagnose debug application sslvpn -1

diagnose debug application fnbamd -1

diagnose debug enable

 

To stop the debug processes:

 

diagnose debug reset

diagnose debug disable

 

It is possible to verify the user group and portal mapping with the following command:

 

get vpn ssl monitor

 

Note:

Since FortiOS 7.4.4 and above, the CA certificate of the LDAP server must be imported into the FortiGate.

Refer to this article: Technical Tip: LDAPS connections no longer work after update to v7.4.4.

15992
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.