Description
This article describes that it is possible to encounter this problem when using an Android device connecting to the SSL VPN with two-factor authentication. The connection attempts will fail before getting the two-factor code.
Scope
FortiGate SSL VPN with Android clients.
Solution
On Forticlient logs, the error message will appear : SSLCONNFAILED.
When checking the SSL VPN debug on FortiGate, the following example logs will be displayed :
2022-11-10 15:45:05 [284:root:452c]SSL state:fatal internal error (x.x.x.x)
2022-11-10 15:45:05 [284:root:452c]SSL state:error:(null)(x.x.x.x)
2022-11-10 15:45:05 [284:root:452c]SSL_accept failed, 1:EVP lib
2022-11-10 15:45:05 [284:root:452c]Destroy sconn 0x7f77f21f00, connSize=12. (root)
As a workaround, it is possible to disable the two-factor authentication.
Alternatively, disabling the SSL VPN acceleration should solve the issue.
# config system global
set sslvpn-kxp-hardware-acceleration disable
set sslvpn-cipher-hardware-acceleration disable
end
The hardware acceleration on SSL VPN is removed from FOS 7.2 onwards so it is not expected to happen on version 7.2 onwards.
Related documents:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-and-two-factor-expiry-timers...
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/490351/ssl-vpn-authentication
