Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ser_lis
New Contributor

Fortigate-100E log in fail.

We have two Fortigate-100E installed, operating in HA A-P mode. Periodically, when trying to log in using the http protocol, it fails to log in to the system. At the same time, the following error appear when trying to log in: [size="1"]# [httpsd 8077 - 1635755401] ap_invoke_handler[571] -- new request (handler='logincheck-handler', uri='/logincheck', method='POST')[/size] [size="1"][httpsd 8077 - 1635755401] ap_invoke_handler[575] -- User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:45.0) Gecko/20100101 /[/size] [size="1"][httpsd 8077 - 1635755401] ap_invoke_handler[578] -- Source: 10.197.31.42:59957 Destination: 192.168.102.30:80[/size] [size="1"][httpsd 8077 - 1635755401] logincheck_handler[288] -- entering vdom for login_attempt (vdom='root')[/size] [size="1"][httpsd 8077 - 1635755401] logincheck_handler[322] -- login attempt OK, VDOM updated to 'root'[/size] [size="1"][httpsd 8077 - 1635755401] logincheck_handler[330] -- login_attempt (method=4, vdom='root', name='admin',admin_name='admin', rad_svr='')[/size] [size="1"][httpsd 8077 - 1635755401] output_response[45] -- sent response (status='1', buf='document.location="/ng/prompt?viewOnly&redir=%2Fng%2Fprompt%3FviewOnly%26redir%3D%252Fng%252Fprompt%253FviewOnly%2526redir%253D%25252Fng%25252Fprompt%25253FviewOnly%252526redir%25253D%2525252Fng%2525252F";[/size] ') [size="1"][httpsd 8077 - 1635755401] ap_invoke_handler[594] -- request completed (handler='logincheck-handler' result==0)[/size] [size="1"][httpsd 8077 - 1635755401] ap_invoke_handler[571] -- new request (handler='fortiweb-static-handler', uri='/ng/prompt?viewOnly&redir=%2Fng%2Fprompt%3FviewOnly%26redir%3D%252Fng%252Fprompt%253FviewOnly%2526redir%253D%25252Fng%25252Fprompt%25253FviewOnly%252526redir%25253D%2525252Fng%2525252F', method='GET')[/size] [size="1"][httpsd 8077 - 1635755401] ap_invoke_handler[575] -- User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:45.0) Gecko/20100101 /[/size] [size="1"][httpsd 8077 - 1635755401] ap_invoke_handler[578] -- Source: 10.197.31.42:59957 Destination: 192.168.102.30:80[/size] [size="1"][httpsd 8077 - 1635755401] add_nocache_headers[242] -- Added no-cache headers to /migadmin/ng/index.html[/size]

[size="1"][httpsd 8077 - 1635755401] ap_invoke_handler[594] -- request completed (handler='fortiweb-static-handler' result==0)[/size] [size="1"][httpsd 8077 - 1635755401] ap_invoke_handler[571] -- new request (handler='fortiweb-static-handler', uri='/47cd8bea87902fb8621fb8aaee6b7e36/js/fweb_build.js', method='GET')[/size] [size="1"][httpsd 8077 - 1635755401] ap_invoke_handler[575] -- User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:45.0) Gecko/20100101 /[/size] [size="1"][httpsd 8077 - 1635755401] ap_invoke_handler[578] -- Source: 10.197.31.42:59957 Destination: 192.168.102.30:80[/size] [style="background-color: #ffff00;"][size="1"][httpsd 8077 - 1635755401] fortiweb_static_handler[289] -- Access denied: Not authorized to access the static resource file: /migadmin/js/fweb_build.js[/size][/style]

 

[size="1"][httpsd 8077 - 1635755401] ap_invoke_handler[594] -- request completed (handler='fortiweb-static-handler' result==401)[/size] [size="1"][httpsd 8077 - 1635755401] ap_internal_redirect[1443] -- internal redirect to '/p/pubredir/httperror/'[/size] [size="1"][httpsd 8077 - 1635755401] ap_invoke_handler[571] -- new request (handler='fastcgi-script', uri='/p/pubredir/httperror/', method='GET')[/size] [size="1"][httpsd 8077 - 1635755401] ap_invoke_handler[575] -- User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:45.0) Gecko/20100101 /[/size] [size="1"][httpsd 8077 - 1635755401] ap_invoke_handler[578] -- Source: 10.197.31.42:59957 Destination: 192.168.102.30:80[/size] [size="1"][httpsd 18078 - 1635755401] aps_init_process_vdom[1200] -- initialized process vdom to 'root' (cookie='(null)')[/size] [size="1"][httpsd 8077 - 1635755401] ap_invoke_handler[594] -- request completed (handler='fastcgi-script' result==0)[/size] [size="1"][httpsd 8077 - 1635755401] ap_invoke_handler[571] -- new request (handler='login-handler', uri='/login?redir=%2Fng%2Fprompt%3FviewOnly%26redir%3D%252Fng%252Fprompt%253FviewOnly%2526redir%253D%25252Fng%25252Fprompt%25253FviewOnly%252526redir%25253D%2525252Fng%2525252Fprompt%2525253FviewOnly%25252526redir%2525253D%252525252Fng%252525252F', method='GET')[/size] [size="1"][httpsd 8077 - 1635755401] ap_invoke_handler[575] -- User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:45.0) Gecko/20100101 /[/size] [size="1"][httpsd 8077 - 1635755401] ap_invoke_handler[578] -- Source: 10.197.31.42:59957 Destination: 192.168.102.30:80[/size] [size="1"][httpsd 8077 - 1635755401] ap_invoke_handler[594] -- request completed (handler='login-handler' result==0).[/size]

It is possible to log in to the system only after rebooting the master device. But then this situation is repeated. What could be the reason for the failed login?

1 Solution
xsilver_FTNT
Staff
Staff

Hi,

what's you FOS version ?

Have you tried in incognito mode ?

There were improvements to static content handling and those things like fweb_build.js are supposed to be cached in browser for quite some time.

Tom xSilver, planet Earth, over and out!

View solution in original post

5 REPLIES 5
xsilver_FTNT
Staff
Staff

Hi,

what's you FOS version ?

Have you tried in incognito mode ?

There were improvements to static content handling and those things like fweb_build.js are supposed to be cached in browser for quite some time.

Tom xSilver, planet Earth, over and out!

Ser_lis

Hi,

It's FOS v5. I have tried incognito mode and different browser, and it haven't help me. Only one effective thing was rebooting the device. So I suggest what the key for the issue is inside the Fortigate. 

xsilver_FTNT

FOS 5.x.x .. respectively latest iteration 5.6.x should have that cached content handling fixed (since 5.4.1 and that was last time we saw this issue - in 2016).

Under normal circumstances I would suggest to open technical trouble ticket in FortiCare, either directly as end customer or through your Fortinet's Partner (who from certain level of partnership can open tickets straight on 2nd level of TAC support).

 

But, FortiOS 5.6 and therefore whole FOS 5.x has reached:

- EOS (End of Support) on 2021-09-30 .. so you can try to open TAC support ticket but probable first response would be kind request to "upgrade" to supported version.

- EOES (End of Engineering Support) on 2020-03-30, so even if it would be reproducible bug, I would not expect any fix for it.

 

More on product lifecycles here: https://support.fortinet.com/Information/ProductLifeCycle.aspx

 

It seems to me a bit rare issue.

 

One thing I would check is dynamic changes to config.

As it does happen after some time, fixed by reboot .. then check this system global setting "cfg-save".

If that is 'set cfg-save revert' then it allows dynamic changes to config, but those are not permanent, and will be saved/committed manually, and if there will be no console activity for set 'set cfg-revert-timeout' then config will be reverted back to last saved one and all dynamic changes since that last manual config save will be lost.

 

Another thing. Is that admin local or remote (like form LDAP)?

If remote, I'd definitely check 'diag debug fnbamd 7' outputs. To see if the auth problem is not rooted there.

If local then 'authd' is the respective daemon to check as fnbamd handles outer active authentication connections.

 

If master reboot fixes that, then how's your HA .. slave unit will become master and you will face the same issue with that again? Again fix-able by reboot?

OR old master will become master again once booted up and so issue is de-facto within that single unit only?

 

One another thing to test, if possible. Is to save config, re-flash the firmware and restore configs .. just in case it has something to stored config and storage. But probability of that is way tooo low.

 

And the last thing. I would start to plan migration to FortiOS 6.x version. Or at least latest 5.6.14 released as last version this August.

 

Tom xSilver, planet Earth, over and out!

ede_pfau
Esteemed Contributor III

Thorough analysis by xsilver. Only thing I would disagree is to stay with FOS v5. Just do the upgrade to a current version, to be on the safe side and to faciliate FTNT support case in the future. There is literally not a single item that made life worse when I last upgraded from v5 to v6.0. With v6.2, I've got a memory leak issue at the moment so I'd rather recommend v6.0.13. 

And a 100E is a very capable device, with ample RAM. No worries here.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
xsilver_FTNT

ede_pfau wrote:

Thorough analysis by xsilver. Only thing I would disagree is to stay with FOS v5.

Thanks for stars .. but I do not think I said 'stay with FOS v5.

I do read second last sentence as "And the last thing. I would start to plan migration to FortiOS 6.x version."

 

But anyway, hints around 6.x are welcome. Amount of possible troubles depends heavily on amount of new/fancy features anyone uses, as old stuff should stay unbroken (I know, unfortunately it is not always the case, but chances are better that it will stay working if you use time-proven-to-work stuff). I do run 6.4 FOS with basic stuff and it's rock-solid.

 

Tom xSilver, planet Earth, over and out!