Description
This article describes troubleshooting steps when the SSL alert log message 'bad record mac' displays on the FortiGate.
Scope
FortiGate:
Solution
The following log may be seen when an SSL dialer is failing to connect:
Log Number 27
Last Activity 2011-02-01 09:00:41
VDom VD-CJG
Level error
Subtype sslvpn-session
Timestamp 2011-02-01 09:00:14
Log ID 39944
Device ID FG3K8A3408600328
Cluster ID FG3K8A3408600069_CID
Tunnel Type ssl
Tunnel Action
Remote IP 1.1.1.1
Tunnel IP 0.0.0.0
Alert fatal
Description bad record mac
Troubleshoot this issue as follows:
Open an SSH session to the FortiGate and collect the following debug from the CLI.
diagnose debug console timestamp enable
diag debug app sslvpn -1
diag debug enable
sslvpn debug can show below error message:
2022-06-21 13:26:20 [30569:root:7]SSL state:fatal bad record mac (81.43.106.186)
2022-06-21 13:26:20 [30569:root:0]ap_read,109, error=1, errno=0 ssl 0x34060000 Success. error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac
Open a second SSH session to the FortiGate and collect the following debug from the CLI.
diag sniffer packet any 'port <SSL vpn port>' 6 0 a
To check whether the error is linked to the CP6 chip (SSL-based computation is performed by the CP for SSL), disable hardware acceleration on the CLI:
diagnose vpn ssl hw-acceleration-status
config system global
set sslvpn-cipher-hardware-acceleration disable
set sslvpn-kxp-hardware-acceleration disable
end
Note:
From v7.2.1 and later versions, SSL VPN Hardware acceleration has been removed. For more details check this related document: Status of SSL VPN acceleration
