|
When using 2FA for SSL VPN users, the window to accept the token code will be 30 seconds by default, however, this timer will not apply to the following 2FA types: 'Ftk/email/sms/Fac' for this token type it will follow the timers configured in the global system.
Related article:
SSL VPN and two-factor expiry timers
The issue that causes the 2FA to fail is the SSL VPN will close the session in 30 seconds, it will not follow the correct timers for each token type.
The next is an example for FortiToken and local users.
FortiGate values for SSL VPN timeout and global timeouts for each 2fa token.
FGVM04TM24003657 (settings) # get | grep timeout
idle-timeout : 300
auth-timeout : 28800
login-timeout : 120
set two-factor-ftk-expiry 300
set two-factor-ftm-expiry 168
In the Debug commands, it closes the session before the timeout of the token:
2024-08-31 16:19:30 [2343:root:c]allocSSLConn:310 sconn 0x7f064f855800 (0:root) -------------> Session created.
2024-08-31 16:19:31 [796] create_auth_token_session-Created auth token session 363279387
2024-08-31 16:19:51 [2344:root:c]Timeout for connection 0x7f064f855800. -----> Session closed due to timeout.
When the user introduces the token after 30 seconds the error will show, not session info.
2024-08-31 16:20:33 [2342:root:d]rmt_web_auth_info_parser_common:525 no session id in auth info
2024-08-31 16:20:33 [2342:root:d]rmt_web_access_check:793 access failed, uri=[/remote/logincheck],ret=4103,
2024-08-31 16:20:33 [2342:root:d]fsv_logincheck_common_handler:1350 user 'acardona' has a matched local entry.
2024-08-31 16:20:33 [2342:root:d]got checking id 1-30d489eb
2024-08-31 16:20:33 [2342:root:0]fsv_logincheck_common_handler:1479 token_type = 0, time_out = 30
This issue (ID 893190) is resolved in FortiOS 7.2.10.
Note: Open a ticket with TAC to request more information about this issue.
|
