Technical Tip: SSL VPN user with FortiToken but NTP was not synchronize

alwis · ‎12-19-2023

Description

This article describes an issue with SSL VPN users with FortiToken but NTP is not synchronized.

Scope

FortiGate, FortiToken.

Solution

When a user is connected to an SSL VPN but gets this output: 'Credential or SSLVPN configuration is wrong. (-7200)'.

This assumes that all configurations are correct on the SSL VPN setting, group, and firewall policy:

SSLVPN connect.png

Run debug on FortiGate for authentication via CLI:

diagnose debug enable
diagnose debug application fnbamd

FortiGate-VM64-KVM # [1937] handle_req-Rcvd auth_token req 539556049 for testuse r in
[429] __compose_group_list_from_req-Group 'testgroup', type 1
local auth is done with user 'testuser', ret=7
[740] create_auth_token_session-Created auth token session 539556049

FortiGate-VM64-KVM # 175900[2048] handle_req-Rcvd auth_token rsp for req 5395560 49
[2097] handle_req-Check token '175900' with user 'testuser'
[2116] handle_req-Verify(user=testuser vdom=root token_code=175900) returns -30113

[2167] handle_req-Token check failed, result -30113
[217] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 539556049, len=21 24
[752] destroy_auth_session-delete session 539556049

Verify if the NTPs are synchronized on FortiGate:

FortiGate-VM64-KVM # diagnose sys ntp status
synchronized: no, ntpsync: enabled, server-mode: disabled

ipv4 server(192.168.168.1) 192.168.168.1 -- unreachable(0x0) S:7 T:535
no data

FortiGate-VM64-KVM # execute time
current time is: 04:11:09
last ntp sync: never

After the NTP has been synchronized the SSL VPN connection with FortiToken should be connected.