Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
caunon
Staff
Staff

Created on ‎11-02-2023 09:33 AM

Article Id 282593

Troubleshooting Tip: Failure to connect via SSL VPN with 'Credential or SSLVPN configuration is wrong. (-7200)' message with 'sslvpn_login_cert_checked_error'

Description

This article describes troubleshooting steps for cases where a connection cannot be made to FortiGate through the SSL VPN.

  • SSL VPN Status stops at 48%.
  • It shows a pop-up message with 'Credential or SSLVPN configuration is wrong (-7200)':

 

1.png
Scope FortiGate.
Solution

Run more debugging to gather more information to investigate the issue for the next step.

 

In the FortiGate CLI:

 

diagnose debug disable

diagnose debug reset

 

diagnose debug application sslvpn -1

diagnose debug console timestamp enable

diagnose debug enable

 

Results similar to the following may appear:

 

At FortiGate CLI command:

 

 

diagnose debug disable

diagnose debug reset

 

diagnose debug application sslvpn -1

diagnose debug console timestamp enable

diagnose debug enable

2023-11-02 14:15:59 [11178:root:32]allocSSLConn:289 sconn 0x54d60280 (0:root)
2023-11-02 14:15:59 [11178:root:32]SSL state:before SSL initialization (15.15.15.15)
2023-11-02 14:15:59 [11178:root:32]SSL state:before SSL initialization:DH lib(15.15.15.15)
2023-11-02 14:15:59 [11178:root:32]SSL_accept failed, 5:(null)
2023-11-02 14:15:59 [11178:root:32]Destroy sconn 0x54d60280, connSize=0. (root)
2023-11-02 14:15:59 [11178:root:33]allocSSLConn:289 sconn 0x54d6a280 (0:root)
2023-11-02 14:15:59 [11178:root:33]SSL state:before SSL initialization (15.15.15.15)
2023-11-02 14:15:59 [11178:root:33]SSL state:before SSL initialization (15.15.15.15)
2023-11-02 14:15:59 [11178:root:33]client cert requirement: yes
2023-11-02 14:15:59 [11178:root:33]SSL state:SSLv3/TLS read client hello (15.15.15.15)
2023-11-02 14:15:59 [11178:root:33]SSL state:SSLv3/TLS write server hello (15.15.15.15)
2023-11-02 14:15:59 [11178:root:33]SSL state:SSLv3/TLS write certificate (15.15.15.15)
2023-11-02 14:15:59 [11178:root:33]SSL state:SSLv3/TLS write key exchange (15.15.15.15)
2023-11-02 14:15:59 [11178:root:33]SSL state:SSLv3/TLS write certificate request (15.15.15.15)
2023-11-02 14:15:59 [11178:root:33]SSL state:SSLv3/TLS write server done (15.15.15.15)
2023-11-02 14:15:59 [11178:root:33]SSL state:SSLv3/TLS write server done:system lib(15.15.15.15)
2023-11-02 14:15:59 [11178:root:33]SSL state:SSLv3/TLS write server done:DH lib(15.15.15.15)
2023-11-02 14:15:59 [11178:root:33]SSL_accept failed, 5:(null)
2023-11-02 14:15:59 [11178:root:33]Destroy sconn 0x54d6a280, connSize=0. (root)
2023-11-02 14:15:59 [11178:root:34]allocSSLConn:289 sconn 0x54d81280 (0:root)
2023-11-02 14:15:59 [11178:root:34]SSL state:before SSL initialization (15.15.15.15)
2023-11-02 14:15:59 [11178:root:34]SSL state:before SSL initialization (15.15.15.15)
2023-11-02 14:15:59 [11178:root:34]client cert requirement: yes
2023-11-02 14:15:59 [11178:root:34]SSL state:SSLv3/TLS read client hello (15.15.15.15)
2023-11-02 14:15:59 [11178:root:34]SSL state:SSLv3/TLS write server hello (15.15.15.15)
2023-11-02 14:15:59 [11178:root:34]SSL state:SSLv3/TLS write certificate (15.15.15.15)
2023-11-02 14:15:59 [11178:root:34]SSL state:SSLv3/TLS write key exchange (15.15.15.15)
2023-11-02 14:15:59 [11178:root:34]SSL state:SSLv3/TLS write certificate request (15.15.15.15)
2023-11-02 14:15:59 [11178:root:34]SSL state:SSLv3/TLS write server done (15.15.15.15)
2023-11-02 14:15:59 [11178:root:34]SSL state:SSLv3/TLS write server done:system lib(15.15.15.15)
2023-11-02 14:15:59 [11178:root:34]SSL state:SSLv3/TLS write server done (15.15.15.15)
2023-11-02 14:15:59 [11178:root:34]SSL state:SSLv3/TLS read client certificate (15.15.15.15)
2023-11-02 14:15:59 [11178:root:34]SSL state:SSLv3/TLS read client key exchange (15.15.15.15)
2023-11-02 14:15:59 [11178:root:34]SSL state:SSLv3/TLS read change cipher spec (15.15.15.15)
2023-11-02 14:15:59 [11178:root:34]SSL state:SSLv3/TLS read finished (15.15.15.15)
2023-11-02 14:15:59 [11178:root:34]SSL state:SSLv3/TLS write session ticket (15.15.15.15)
2023-11-02 14:15:59 [11178:root:34]SSL state:SSLv3/TLS write change cipher spec (15.15.15.15)
2023-11-02 14:15:59 [11178:root:34]SSL state:SSLv3/TLS write finished (15.15.15.15)
2023-11-02 14:15:59 [11178:root:34]SSL state:SSL negotiation finished successfully (15.15.15.15)
2023-11-02 14:15:59 [11178:root:34]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
2023-11-02 14:15:59 [11178:root:34]No client certificate
2023-11-02 14:15:59 [11178:root:34]req: /remote/info
2023-11-02 14:15:59 [11178:root:34]req: /remote/login
2023-11-02 14:15:59 [11178:root:34]rmt_web_auth_info_parser_common:470 no session id in auth info
2023-11-02 14:15:59 [11178:root:34]rmt_web_get_access_cache:804 invalid cache, ret=4103
2023-11-02 14:15:59 [11178:root:34]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
2023-11-02 14:15:59 [11178:root:34]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy.
2023-11-02 14:15:59 [11178:root:34]sslvpn_auth_check_usrgroup:2145 got user (0) group (1:0).
2023-11-02 14:15:59 [11178:root:34]sslvpn_validate_user_group_list:1642 validating with SSL VPN authentication rules (1), realm ().
2023-11-02 14:15:59 [11178:root:34]sslvpn_validate_user_group_list:1690 checking rule 1 cipher.
2023-11-02 14:15:59 [11178:root:34]sslvpn_validate_user_group_list:1698 checking rule 1 realm.
2023-11-02 14:15:59 [11178:root:34]sslvpn_validate_user_group_list:1709 checking rule 1 source intf.
2023-11-02 14:15:59 [11178:root:34]sslvpn_validate_user_group_list:1748 checking rule 1 vd source intf.
2023-11-02 14:15:59 [11178:root:34]sslvpn_validate_user_group_list:1845 rule 1 done, got user (0:0) group (1:0) peer group (0).
2023-11-02 14:15:59 [11178:root:34]sslvpn_validate_user_group_list:1963 got user (0:0), group (1:0) peer group (0).
2023-11-02 14:15:59 [11178:root:34]get_cust_page:130 saml_info 0
2023-11-02 14:15:59 [11178:root:34]req: /remote/logincheck
2023-11-02 14:15:59 [11178:root:34]rmt_web_auth_info_parser_common:470 no session id in auth info
2023-11-02 14:15:59 [11178:root:34]rmt_web_access_check:723 access failed, uri=[/remote/logincheck],ret=4103,
2023-11-02 14:15:59 [11178:root:34]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
2023-11-02 14:15:59 [11178:root:34]rmt_logincheck_cb_handler:1189 user 'test15' has a matched local entry.
2023-11-02 14:15:59 [11178:root:34]login_failed:384 user[test15],auth_type=32768 failed [sslvpn_login_cert_checked_error]
2023-11-02 14:15:59 [11178:root:0]dump_one_blocklist:84 status=1;host=15.15.15.15;fails=1;logintime=1698730139

 

Note the 'failed [sslvpn_login_cert_checked_error]' message.

 

To fix the issue:

 

If connection cannot be established to the FortiGate unit via SSL VPN and the following conditions are true:

  • SSL VPN Status stops at 48%.
  • A pop-up message appears with 'Credential or SSLVPN configuration is wrong (-7200)'.
  • 'diagnose debug application sslvpn -1' debugging shows a 'failed [sslvpn_login_cert_checked_error]' message.

Consider navigating to VPN -> SSL-VPN Settings -> SSL-VPN Settings and disabling Require Client Certificate. Select Apply afterwards to save the changes.

 

2.png

After, try to access the FortiGate unit via SSL VPN again. The issue should be fixed.
18033
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.