In this example, local VPN user 'PearlAngelica' is configured in FortiGate for SSL VPN:

config user local

    edit "PearlAngelica"
        set type password
        set passwd-time 2024-09-03 17:43:10
        set passwd ENC tyMR64f6GkZ2yReZhxWuYkzsHZpW8x+zkUZZyxIkbVCJ9

        zuFuKRAhEtPLJqo+stExyB3aLiTDPxo6Vqv6VoNSmzmXXyfFwgn8QGYGKyP

        cvLLHRg2TzKzNnf2tCPn2IashEYkPe6sncpmIN3XOcfGEdobF+76k

        pzheadculks2E2bcg0Yf8nY+65OC33hjj+mAY5t+FlmMjY3dkVA
    next

end

When local SSL VPN user 'PearlAngelica' enters 'pearlangelica' (different case match) in FortiClient, the user is not able to log in getting 'Permission denied. (-455)' error.

Run the SSL VPN debug while replicating the issue to monitor errors:

diagnose debug reset

diagnose debug disable

diagnose debug application sslvpn -1

diagnose debug application fnbamd -1 

diagnose debug console timestamp enable

diagnose debug enable

To disable debug:

diagnose debug disable

From debug output, it shows 'login_failed:494 user[pearlangelica],auth_type=1 failed [sslvpn_login_unknown_user]':

2024-09-03 23:54:12 [19214:root:3b]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
2024-09-03 23:54:12 [19214:root:3b]rmt_web_auth_info_parser_common:530 no session id in auth info
2024-09-03 23:54:12 [19214:root:3b]rmt_web_access_check:801 access failed, uri=[/remote/logincheck],ret=4103,
2024-09-03 23:54:12 [19214:root:3b]encoding method 0
2024-09-03 23:54:12 [19214:root:3b]sslvpn_auth_check_usrgroup:3112 forming user/group list from policy.
2024-09-03 23:54:12 [19214:root:3b]sslvpn_auth_check_usrgroup:3149 got user (0) group (1:0).
2024-09-03 23:54:12 [19214:root:3b]sslvpn_validate_user_group_list:2003 validating with SSL VPN authentication rules (1), realm ().
2024-09-03 23:54:12 [19214:root:3b]sslvpn_validate_user_group_list:2097 checking rule 1 cipher.
2024-09-03 23:54:12 [19214:root:3b]sslvpn_validate_user_group_list:2105 checking rule 1 realm.
2024-09-03 23:54:12 [19214:root:3b]sslvpn_validate_user_group_list:2116 checking rule 1 source intf.
2024-09-03 23:54:12 [19214:root:3b]sslvpn_validate_user_group_list:2155 checking rule 1 vd source intf.
2024-09-03 23:54:12 [19214:root:3b]sslvpn_validate_user_group_list:2659 rule 1 done, got user (0:0) group (1:0) peer group (0).
2024-09-03 23:54:12 [19214:root:3b]sslvpn_validate_user_group_list:2667 got user (0:0) group (1:0) peer group (0).
2024-09-03 23:54:12 [19214:root:3b]sslvpn_validate_user_group_list:3014 got user (0:0), group (1:0) peer group (0).
2024-09-03 23:54:12 [19214:root:3b]sslvpn_update_user_group_list:1905 got user (0:0), group (1:0), peer group (0) after update.
2024-09-03 23:54:12 [19214:root:3b]two factor check for pearlangelica: off
2024-09-03 23:54:12 [19214:root:3b]sslvpn_authenticate_user:202 authenticate user: [pearlangelica]
2024-09-03 23:54:12 [19214:root:3b]sslvpn_authenticate_user:220 create fam state
2024-09-03 23:54:12 [19214:root:3b][fam_auth_send_req_internal:440] Groups sent to FNBAM:
2024-09-03 23:54:12 [19214:root:3b]group_desc[0].grpname = SSLVPN
2024-09-03 23:54:12 [19214:root:3b][fam_auth_send_req_internal:452] FNBAM opt = 0X200421
2024-09-03 23:54:12 [19214:root:3b]fam_auth_send_req_internal:520 fnbam_auth return: 4
2024-09-03 23:54:12 [19214:root:3b]fam_auth_send_req:1016 task finished with 4
2024-09-03 23:54:12 [19214:root:3b]fam_auth_proc_resp:1371 fnbam_auth_update_result return: 5 ((null))
2024-09-03 23:54:12 [19214:root:3b][fam_auth_proc_resp:1377] An error happened updating the FNBAM response.
2024-09-03 23:54:12 [19214:root:3b]login_failed:494 user[pearlangelica],auth_type=1 failed [sslvpn_login_unknown_user]
2024-09-03 23:54:12 [19214:root:3b]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
2024-09-03 23:54:12 [19214:root:3b]Transfer-Encoding n/a
2024-09-03 23:54:12 [19214:root:3b]Content-Length 205
2024-09-03 23:54:32 [19214:root:3b]Timeout for connection 0x7fc325e44800.

2024-09-03 23:54:32 [19214:root:3b]Destroy sconn 0x7fc325e44800, connSize=0. (root)
2024-09-03 23:54:32 [19214:root:3b]SSL state:warning close notify (10.47.1.179)

This is because the local user in FortiGate is case sensitive. This means that 'pearlangelica', 'PearlAngelica', and 'PEARLANGELICA' would be considered three distinct usernames. Hence, it would be necessary to enter the username that is an exact case match as configured locally in the firewall.

To resolve the issue, there are 2 options:

1. When creating or authenticating a user, be sure to use the exact capitalization when the user was initially configured. Local users must enter the exact case match of the username configured in FortiGate.
2. For simplicity and convenience, change the username of the local user to all lowercase.

Note: FortiGate is case sensitive for User type as the local user(created on FortiGate), but remote users(from RADIUS, LDAP) can be made case insensitive(by disabling the username-sensitivity option in CLI). So if multiple users are facing this issue, Managing them as remote users with type LDAP or RADIUS to eliminate the username case sensitivity can be an option.

For more information on how to disable case sensitivity: Technical Tip: Local user, username case sensitivity and accent sensitivity.

The 'Permission denied. (-455)' will also appear when the SSLVPN user enters the wrong password. However, the debug output is different as shown below: 

[23047:root:31]fam_auth_send_req_internal:518 fnbam_auth return: 1
[23047:root:31][fam_auth_send_req_internal:544] Authenticated groups (1) by FNBAM with auth_type (1):
[23047:root:31]Received: auth_rsp_data.grp_list[0] = 0
[23047:root:31]fam_auth_send_req:1019 task finished with 1
[23047:root:31]login_failed:405 user[guest],auth_type=1 failed [sslvpn_login_permission_denied]

To resolve the issue, make sure the password is correct.