OS: Linux
Kernel: 6.9.3
FortiClient VPN Version: 7.4.0.1636
I have been connecting to this network for months, this morning when trying to connect I had this on my console output
Create VPN network interface failed
Now the usual way of connection just does not work. Here are my log outputs:
sslvpn.log
20240614 14:13:09.997 TZ=+0100 [sslvpn:INFO] main:1817 Init
20240614 14:13:09.000 TZ=+0100 [sslvpn:INFO] main:622 Load profile: eicon
20240614 14:13:09.002 TZ=+0100 [sslvpn:DEBG] main:631 Inherit local DNS: No
20240614 14:13:09.002 TZ=+0100 [sslvpn:DEBG] main:644 DNS service resetting interval: 0
20240614 14:13:09.002 TZ=+0100 [sslvpn:INFO] main:329 Get DBUS session bus address
20240614 14:13:10.004 TZ=+0100 [sslvpn:DEBG] main:333 Failed to find DBUS session bus address in dbus-daemon, try to find in dbus-broker
20240614 14:13:10.005 TZ=+0100 [sslvpn:DEBG] main:393 get passwd: true, get cert passwd: false, get user input: false
20240614 14:13:10.018 TZ=+0100 [sslvpn:INFO] main:329 Get DBUS session bus address
20240614 14:13:10.020 TZ=+0100 [sslvpn:DEBG] main:333 Failed to find DBUS session bus address in dbus-daemon, try to find in dbus-broker
20240614 14:13:10.021 TZ=+0100 [sslvpn:INFO] main:1288 Load profile: eicon
20240614 14:13:10.022 TZ=+0100 [sslvpn:DEBG] main:1676 FCT UID: 4EDEF716958543398A8C4A27C64F422D
20240614 14:13:10.023 TZ=+0100 [sslvpn:DEBG] main:1691 EMS not registed
20240614 14:13:10.023 TZ=+0100 [sslvpn:DEBG] main:1704 Public IP is not set
20240614 14:13:10.023 TZ=+0100 [sslvpn:INFO] main:1481 State: Connecting
20240614 14:13:10.034 TZ=+0100 [sslvpn:DEBG] vpn_connection:1506 Server URL: https://MY_NETWORK_HOSTNAME
20240614 14:13:10.047 TZ=+0100 [sslvpn:INFO] main:1481 State: Logging in
20240614 14:13:10.047 TZ=+0100 [sslvpn:INFO] vpn_connection:1944 /remote/info
20240614 14:13:14.391 TZ=+0100 [sslvpn:DEBG] vpn_connection:406 https server 'MY_NETWORK_HOSTNAME' has this certificate, which looks good to me:
20240614 14:13:14.839 TZ=+0100 [sslvpn:DEBG] vpn_connection:599 http connection closed.
20240614 14:13:14.839 TZ=+0100 [sslvpn:DEBG] vpn_connection:478 Response line: 200 OK
20240614 14:13:14.839 TZ=+0100 [sslvpn:INFO] sslvpn:92 ApiEncMethod: 0
20240614 14:13:14.839 TZ=+0100 [sslvpn:INFO] sslvpn:93 ApiRemoteAuthTimeout: 30
20240614 14:13:14.839 TZ=+0100 [sslvpn:INFO] sslvpn:94 ApiServerSalt: 1c941201
20240614 14:13:14.839 TZ=+0100 [sslvpn:INFO] sslvpn:95 flag: 15583
20240614 14:13:14.839 TZ=+0100 [sslvpn:INFO] vpn_connection:1944 /remote/login
20240614 14:13:18.690 TZ=+0100 [sslvpn:DEBG] vpn_connection:406 https server 'MY_NETWORK_HOSTNAME' has this certificate, which looks good to me:
20240614 14:13:19.198 TZ=+0100 [sslvpn:DEBG] vpn_connection:599 http connection closed.
20240614 14:13:19.200 TZ=+0100 [sslvpn:DEBG] vpn_connection:478 Response line: 200 OK
20240614 14:13:19.200 TZ=+0100 [sslvpn:INFO] vpn_connection:1944 /remote/logincheck
20240614 14:13:22.887 TZ=+0100 [sslvpn:DEBG] vpn_connection:406 https server 'MY_NETWORK_HOSTNAME' has this certificate, which looks good to me:
20240614 14:13:23.406 TZ=+0100 [sslvpn:DEBG] vpn_connection:599 http connection closed.
20240614 14:13:23.406 TZ=+0100 [sslvpn:DEBG] vpn_connection:478 Response line: 200 OK
20240614 14:13:23.406 TZ=+0100 [sslvpn:INFO] sslvpn:234 Authentication passed.
20240614 14:13:23.406 TZ=+0100 [sslvpn:INFO] vpn_connection:1944 /remote/fortisslvpn
20240614 14:13:27.189 TZ=+0100 [sslvpn:DEBG] vpn_connection:406 https server 'MY_NETWORK_HOSTNAME' has this certificate, which looks good to me:
20240614 14:13:27.800 TZ=+0100 [sslvpn:DEBG] vpn_connection:599 http connection closed.
20240614 14:13:27.800 TZ=+0100 [sslvpn:DEBG] vpn_connection:478 Response line: 200 OK
20240614 14:13:27.800 TZ=+0100 [sslvpn:INFO] vpn_connection:1944 /remote/fortisslvpn_xml
20240614 14:13:31.694 TZ=+0100 [sslvpn:DEBG] vpn_connection:406 https server 'MY_NETWORK_HOSTNAME' has this certificate, which looks good to me:
20240614 14:13:32.819 TZ=+0100 [sslvpn:DEBG] vpn_connection:599 http connection closed.
20240614 14:13:32.820 TZ=+0100 [sslvpn:DEBG] vpn_connection:478 Response line: 200 OK
20240614 14:13:32.820 TZ=+0100 [sslvpn:DEBG] server_response_parser:114 DTLS config heartbeat interval: 3
20240614 14:13:32.820 TZ=+0100 [sslvpn:DEBG] server_response_parser:115 DTLS config heartbeat fail count: 3
20240614 14:13:32.820 TZ=+0100 [sslvpn:DEBG] server_response_parser:116 DTLS config heartbeat idle timeout: 3
20240614 14:13:32.820 TZ=+0100 [sslvpn:DEBG] server_response_parser:117 DTLS config client hello timeout: 10
20240614 14:13:32.820 TZ=+0100 [sslvpn:INFO] vpn_connection:1944 /remote/portal
20240614 14:13:36.611 TZ=+0100 [sslvpn:DEBG] vpn_connection:406 https server 'MY_NETWORK_HOSTNAME' has this certificate, which looks good to me:
20240614 14:13:37.219 TZ=+0100 [sslvpn:DEBG] vpn_connection:599 http connection closed.
20240614 14:13:37.220 TZ=+0100 [sslvpn:DEBG] vpn_connection:478 Response line: 200 OK
20240614 14:13:37.220 TZ=+0100 [sslvpn:INFO] sslvpn:463 /remote/portal username extracted thiago.sousa
20240614 14:13:37.220 TZ=+0100 [sslvpn:DEBG] vpn_connection:1359 Login process end on status: 0
20240614 14:13:37.220 TZ=+0100 [sslvpn:INFO] sslvpn:824 Login successful
20240614 14:13:37.254 TZ=+0100 [sslvpn:INFO] main:1481 State: Configuring tunnel
20240614 14:13:37.259 TZ=+0100 [sslvpn:EROR] vif:32 Failed open tun device
20240614 14:13:37.259 TZ=+0100 [sslvpn:EROR] vpn_connection:1627 Create VPN network interface failed
20240614 14:13:37.265 TZ=+0100 [sslvpn:DEBG] dns:73 Restore DNS config
20240614 14:13:37.265 TZ=+0100 [sslvpn:DEBG] dns:77 No DNS backup file was found. Skip.
20240614 14:13:37.265 TZ=+0100 [sslvpn:DEBG] mtu:116 Restore MTU.
20240614 14:13:37.265 TZ=+0100 [sslvpn:DEBG] mtu:120 No MTU backup file was found. Skip.
20240614 14:13:37.265 TZ=+0100 [sslvpn:DEBG] route:160 clean up route...
20240614 14:13:37.265 TZ=+0100 [sslvpn:DEBG] route:164 Cleanup file not found
20240614 14:13:37.265 TZ=+0100 [sslvpn:DEBG] main:1911 exception: Create VPN network interface failed
20240614 14:13:37.286 TZ=+0100 [sslvpn:INFO] main:1817 Init
20240614 14:13:37.286 TZ=+0100 [sslvpn:INFO] main:1829 VPN is running in restore DNS mode
20240614 14:13:37.291 TZ=+0100 [sslvpn:DEBG] dns:73 Restore DNS config
20240614 14:13:37.291 TZ=+0100 [sslvpn:DEBG] dns:77 No DNS backup file was found. Skip.
20240614 14:13:37.291 TZ=+0100 [sslvpn:DEBG] mtu:116 Restore MTU.
20240614 14:13:37.291 TZ=+0100 [sslvpn:DEBG] mtu:120 No MTU backup file was found. Skip.
Any ideas on what might be misconfigured?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
@ndumaj
I do not know why, but this Monday morning when I tried connecting it just connected. Even though it does not work through the CLI anymore I managed to connect through the GUI app.
I did not change anything on my system since the post, but the error stopped so I'm closing the post.
Oh, btw, what is this diag command you mentioned. In case this happens again i can expand the logs.
The only executables I got from the install are forticlient and fortivpn(which apparently is just a shortcut for running forticlient vpn).
Thank you for your time.
@hbac
I had an older version installed, do not remember which one. The error started happening, then I removed the version I had and downloaded the latest one available. The error persisted.
I do not know why, but this Monday morning when I tried connecting it just connected. Even though it does not work through the CLI anymore I managed to connect through the GUI app.
I did not change anything on my system since the post, but the error stopped so I'm closing the post.
Hello @thiagojdb,
It looks like the client fails setting up the tunnel:
20240614 14:13:37.259 TZ=+0100 [sslvpn:EROR] vif:32 Failed open tun device
20240614 14:13:37.259 TZ=+0100 [sslvpn:EROR] vpn_connection:1627 Create VPN network interface failed
As hbac you can try with several forticlient version if it will work, otheriwse enable the debug on FGT:
diag debug console timestamp enable
diag debug app fnbamd -1
diag debug app sslvpn -1
diag debug enable
Additionally, check the timeout settings:
@ndumaj
I do not know why, but this Monday morning when I tried connecting it just connected. Even though it does not work through the CLI anymore I managed to connect through the GUI app.
I did not change anything on my system since the post, but the error stopped so I'm closing the post.
Oh, btw, what is this diag command you mentioned. In case this happens again i can expand the logs.
The only executables I got from the install are forticlient and fortivpn(which apparently is just a shortcut for running forticlient vpn).
Thank you for your time.
Hi @thiagojdb
Nice to hear that it worked,
The diag will check the authentication process "FNBAM Daemon" and SSLVPN.
From the guide, I found only this:
https://docs.fortinet.com/document/forticlient/7.4.0/linux-release-notes/580078
forticlient
command.forticlient
.Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.