Troubleshooting Tip: When logging in with SSL VPN, the error 'Credential or SSLVPN configuration is wrong. (-7200)' appears

jiyong · ‎06-16-2023

Description

This article describes how to solve the error 'Credential or SSLVPN configuration is wrong. (-7200)' that occurs during an SSL VPN login.

Scope

FortiGate 7.0.

Solution

The error in the GUI:

date=2023-06-16 time=17:46:09 eventtime=1686905169441057904 tz="+0900" logid="0101039425" type="event" subtype="vpn" level="information" vd="root" logdesc="SSL VPN tunnel down" action="tunnel-down" tunneltype="ssl-web" tunnelid=19067030 remip=10.200.20.10 user="guest" group="N/A" dst_host="N/A" reason="tunnel connection setup timeout" duration=32 sentbyte=0 rcvdbyte=0 msg="SSL tunnel shutdown"
date=2023-06-16 time=17:45:57 eventtime=1686905157425931211 tz="+0900" logid="0101039944" type="event" subtype="vpn" level="error" vd="root" logdesc="SSL VPN alert" action="ssl-alert" tunneltype="ssl" tunnelid=0 remip=10.200.20.10 user="N/A" group="N/A" dst_host="N/A" reason="warning" desc="close notify" msg="SSL alerts"
date=2023-06-16 time=17:45:37 eventtime=1686905137405436816 tz="+0900" logid="0101039424" type="event" subtype="vpn" level="information" vd="root" logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-web" tunnelid=19067030 remip=10.200.20.10 srccountry="Reserved" user="guest" group="N/A" dst_host="N/A" reason="login successfully" msg="SSL tunnel established"
date=2023-06-16 time=17:45:37 eventtime=1686905137367253443 tz="+0900" logid="0101039943" type="event" subtype="vpn" level="information" vd="root" logdesc="SSL VPN new connection" action="ssl-new-con" tunneltype="ssl" tunnelid=0 remip=10.200.20.10 srccountry="Reserved" user="N/A" group="N/A" dst_host="N/A" fctuid="N/A" reason="N/A" msg="SSL new connection"
date=2023-06-16 time=17:45:37 eventtime=1686905137310940065 tz="+0900" logid="0101039946" type="event" subtype="vpn" level="error" vd="root" logdesc="SSL VPN exit error"

action="ssl-exit-error" tunneltype="ssl" tunnelid=0 remip=10.200.20.10 srccountry="Reserved" user="N/A" group="N/A" dst_host="N/A" fctuid="N/A" reason="N/A" msg="SSL exit error"

In the CLI:

diagnose debug application sslvpn -1
diagnose debug application fnbamd -1
diagnose debug enable

[2612:root:1b]deconstruct_session_id:716 decode session id ok, user=[guest], group=[],authserver=[],portal=[full-access],host[10.200.20.10],realm=[],csrf_token=[D3D4129C5AB9CB25CDCE01CCF8E40],idx=0,auth=1,

sid=2d772154,

login=1686904099,access=1686904099,saml_logout_url=no,pip=no,grp_info=[4xAcoJ],

rmt_grp_info=[]
[2612:root:1b]rmt_web_auth_info_parser_common:557 authentication required
[2612:root:1b]rmt_web_access_check:776 access failed, uri=[/remote/logout],ret=4103,
[2612:root:1b]SSL state:fatal decode error (10.200.20.10)
[2612:root:0]ap_read,105, error=1, errno=0 ssl 0x7f3bb1bb6000 Success. error:0A000126:SSL routines::unexpected eof while reading
[2612:root:1b]sslvpn_read_request_common,684, ret=-1 error=-1, sconn=0x7f3bb2854800.
[2612:root:1b]Destroy sconn 0x7f3bb2854800, connSize=0. (root)

This may occur due to several reasons:

The user ID or password is incorrect.
If 'Internet Options -> Security -> Security Level for this zone' is 'High'.

To fix the second case, reduce the security level from 'High' to 'Medium-high' or 'Medium'.

Note:
Starting from v7.6.3, the SSL VPN tunnel mode will no longer be supported, and SSL VPN web mode will be called 'Agentless VPN'.

Related documents:

Technical Tip: Unable to establish the SSL VPN connection on Windows server
Troubleshooting Tip: SSL VPN Troubleshooting

SSL VPN tunnel mode replaced with IPsec VPN

Troubleshooting Tip: When logging in with SSL VPN, the error 'Credential or SSLVPN configuration is wrong. (-7200)' appears

You are leaving our website