Hello, We have virtual Fortigate Deployed in VMWARE, We are trying to configure Dial-up VPN with cert authentication, but we get "XAUTH authentication failed" error, also in debug we see "fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked"
What it can be and how fix?
Hi,
Have you followed the instructions from this guide ?
Yes, did it as showed in guide
It would help if you could share a sanitized CLI config of your phase1 settings for the tunnel.
# show vpn ipsec phase1-interface <tunnel-name>
Feel free to redact IPs/hostnames/PSKs, but please leave the rest as-is.
config vpn ipsec phase1-interface
edit "ios-test-dialup"
set type dynamic
set interface *
set authmethod signature
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 *
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set dhgrp 14 5 2
set xauthtype auto
set certificate *
set peer "ldap-peer"
set ipv4-start-ip *
set ipv4-end-ip *
set ipv4-split-include "ios-test-dialup_split"
set unity-support disable
Two points I have feedback on:
Created on 11-25-2024 08:06 AM Edited on 11-25-2024 08:09 AM
1 - Groups in phase-1 or access rule policy?
2 - [718] __cert_build_chain-req_id=458910229
[273] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[291] fnbamd_chain_build-Following depth 0
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_2')
[291] fnbamd_chain_build-Following depth 1
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_1')
[291] fnbamd_chain_build-Following depth 2
[305] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[840] __cert_verify-req_id=458910229
[841] __cert_verify-Chain is complete.
[486] fnbamd_cert_verify-Chain number:3
[500] fnbamd_cert_verify-Following cert chain depth 0
[573] fnbamd_cert_verify-Issuer found: CA_Cert_2 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 1
[573] fnbamd_cert_verify-Issuer found: CA_Cert_1 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 2
[675] fnbamd_cert_check_group_list-checking group with name 'ldap-peer'
[490] __check_add_peer-check 'ldap-peer'
[77] fnbamd_peer_ldap_push-Check LDAP setting of peer user 'ldap-peer'
[497] __check_add_peer-'ldap-peer' check ret:pending
[709] fnbamd_cert_check_group_list-LDAP servers
[712] fnbamd_cert_check_group_list- 'DC01', (Principle-Name), ref=2
[191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[738] fnbamd_cert_check_group_list-Peer users
[741] fnbamd_cert_check_group_list- 'ldap-peer' ('DC01','N/A')
[876] __cert_verify_do_next-req_id=458910229
[99] __cert_chg_st- 'Validation' -> 'Status-Query'
[623] __cert_status_query-req_id=458910229
[419] __cert_ldap_query-req_id=458910229
[426] __cert_ldap_query-LDAP query, idx 0
[448] __cert_ldap_query-UPN = 'test.user@test.com'
[1718] fnbamd_ldap_init-search filter is: (&(userPrincipalName=test.user@test.com)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
[1728] fnbamd_ldap_init-search base is: dc=test,dc=loc
[115] fnbamd_dns_resolv_ex-DNS req ipv4 0x30c 'dc-01.test.loc'
[125] fnbamd_dns_resolv_ex-DNS req ipv6 0x230c 'dc-01.test.loc'
[137] fnbamd_dns_resolv_ex-DNS maintainer started.
[543] __cert_ocsp_query-req_id=458910229
[551] __cert_ocsp_query-Nothing to do.
[953] __fnbamd_cert_auth_run-Job pending, exit the state machine, req_id=458910229
[1691] create_auth_cert_session-fnbamd_cert_auth_init returns 4, id=458910229
[247] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x30c
[306] fnbamd_dns_parse_resp-req 0x30c: IP_Address
[1150] __fnbamd_ldap_dns_cb-Resolved DC01:dc-01.test.loc to IP_Address, cur stack size:1
[925] __fnbamd_ldap_get_next_addr-
[1155] __fnbamd_ldap_dns_cb-Connection starts DC01:dc-01.test.loc, addr IP_Address over SSL
[880] __fnbamd_ldap_start_conn-Still connecting IP_Address.
[247] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x230c
[266] fnbamd_dns_parse_resp-req 0x30c: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
[35] __fnbamd_dns_req_del-DNS req 0x30c (0x1108b9c0) is removed. Current total: 2
[47] __fnbamd_dns_req_del-DNS maintainer stopped.
[1150] __fnbamd_ldap_dns_cb-Resolved DC01:dc-01.test.loc to ::, cur stack size:0
[1108] __ldap_connect-tcps_connect(IP_Address) is established.
[986] __ldap_rxtx-state 3(Admin Binding)
[363] __ldap_build_bind_req-Binding to 'CN=svc.test,OU=Test3,OU=Test2,OU=Test,DC=test,DC=loc'
[1083] fnbamd_ldap_send-sending 96 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 1
[986] __ldap_rxtx-state 4(Admin Bind resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 14
[1306] fnbamd_ldap_recv-Response len: 16, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
[1023] fnbamd_ldap_parse_response-ret=0
[1053] __ldap_rxtx-Change state to 'DN search'
[986] __ldap_rxtx-state 11(DN search)
[750] fnbamd_ldap_build_dn_search_req-base:'dc=test,dc=loc' filter:(&(userPrincipalName=test.user@test.com)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
[1083] fnbamd_ldap_send-sending 143 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 2
[986] __ldap_rxtx-state 12(DN search resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 78
[1306] fnbamd_ldap_recv-Response len: 80, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-entry
[1023] fnbamd_ldap_parse_response-ret=0
[1226] __fnbamd_ldap_dn_entry-Get DN 'CN=test.user,OU=Test3,OU=Test2,OU=Test,DC=test,DC=com'
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 71
[1306] fnbamd_ldap_recv-Response len: 73, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 71
[1306] fnbamd_ldap_recv-Response len: 73, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 55
[1306] fnbamd_ldap_recv-Response len: 57, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 14
[1306] fnbamd_ldap_recv-Response len: 16, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result
[1023] fnbamd_ldap_parse_response-ret=0
[621] __ldap_membership_next-Auth accepted
[1053] __ldap_rxtx-Change state to 'Done'
[986] __ldap_rxtx-state 23(Done)
[1083] fnbamd_ldap_send-sending 7 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 3
[785] __ldap_done-svr 'DC01'
[755] __ldap_destroy-
[724] __ldap_stop-Conn with IP_Address destroyed.
[377] __cert_ldap_query_cb-LDAP ret=0, server='DC01', req_id=458910229
[388] __cert_ldap_query_cb-Matched peer 'ldap-peer'
[755] __ldap_destroy-
[271] __cert_resume-req_id=458910229
[99] __cert_chg_st- 'Status-Query' -> 'Done'
[921] __cert_done-req_id=458910229
[1654] fnbamd_auth_session_done-Session done, id=458910229
[966] __fnbamd_cert_auth_run-Exit, req_id=458910229
[1645] __auth_cert_session_done-id=458910229
[1610] auth_cert_success-id=458910229
[1068] fnbamd_cert_auth_copy_cert_status-req_id=458910229
[1076] fnbamd_cert_auth_copy_cert_status-Matched peer user 'ldap-peer'
[833] fnbamd_cert_check_matched_groups-checking group with name 'ldap-peer'
[895] fnbamd_cert_check_matched_groups-matched
[1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1195] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=458910229
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 458910229, len=2547
[1555] destroy_auth_cert_session-id=458910229
[1041] fnbamd_cert_auth_uninit-req_id=458910229
[755] __ldap_destroy-
[131] fnbamd_peer_ctx_free-Freeing peer ctx 'ldap-peer'
[1764] fnbamd_ldap_auth_ctx_free-Freeing 'DC01' ctx
ike shrank heap by 143360 bytes
local auth is done with user 'test.user', ret=1
ike shrank heap by 159744 bytes
[2487] handle_req-Rcvd auth_cert req id=458910230, len=1128, opt=0
[983] __cert_auth_ctx_init-req_id=458910230, opt=0
[103] __cert_chg_st- 'Init'
[156] fnbamd_cert_load_certs_from_req-3 cert(s) in req.
[669] __cert_init-req_id=458910230
[718] __cert_build_chain-req_id=458910230
[273] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[291] fnbamd_chain_build-Following depth 0
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_2')
[291] fnbamd_chain_build-Following depth 1
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_1')
[291] fnbamd_chain_build-Following depth 2
[305] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[840] __cert_verify-req_id=458910230
[841] __cert_verify-Chain is complete.
[486] fnbamd_cert_verify-Chain number:3
[500] fnbamd_cert_verify-Following cert chain depth 0
[573] fnbamd_cert_verify-Issuer found: CA_Cert_2 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 1
[573] fnbamd_cert_verify-Issuer found: CA_Cert_1 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 2
[657] fnbamd_cert_check_group_list-group list is empty, match any!
[191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[876] __cert_verify_do_next-req_id=458910230
[99] __cert_chg_st- 'Validation' -> 'Done'
[921] __cert_done-req_id=458910230
[1654] fnbamd_auth_session_done-Session done, id=458910230
[966] __fnbamd_cert_auth_run-Exit, req_id=458910230
[1691] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=458910230
[1610] auth_cert_success-id=458910230
[1068] fnbamd_cert_auth_copy_cert_status-req_id=458910230
[1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1195] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=458910230
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 458910230, len=2536
[1555] destroy_auth_cert_session-id=458910230
[1041] fnbamd_cert_auth_uninit-req_id=458910230
local auth is done with user 'test.user', ret=1
ike shrank heap by 159744 bytes
[2487] handle_req-Rcvd auth_cert req id=458910231, len=1128, opt=0
[983] __cert_auth_ctx_init-req_id=458910231, opt=0
[103] __cert_chg_st- 'Init'
[156] fnbamd_cert_load_certs_from_req-3 cert(s) in req.
[669] __cert_init-req_id=458910231
[718] __cert_build_chain-req_id=458910231
[273] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[291] fnbamd_chain_build-Following depth 0
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_2')
[291] fnbamd_chain_build-Following depth 1
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_1')
[291] fnbamd_chain_build-Following depth 2
[305] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[840] __cert_verify-req_id=458910231
[841] __cert_verify-Chain is complete.
[486] fnbamd_cert_verify-Chain number:3
[500] fnbamd_cert_verify-Following cert chain depth 0
[573] fnbamd_cert_verify-Issuer found: CA_Cert_2 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 1
[573] fnbamd_cert_verify-Issuer found: CA_Cert_1 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 2
[657] fnbamd_cert_check_group_list-group list is empty, match any!
[191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[876] __cert_verify_do_next-req_id=458910231
[99] __cert_chg_st- 'Validation' -> 'Done'
[921] __cert_done-req_id=458910231
[1654] fnbamd_auth_session_done-Session done, id=458910231
[966] __fnbamd_cert_auth_run-Exit, req_id=458910231
[1691] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=458910231
[1610] auth_cert_success-id=458910231
[1068] fnbamd_cert_auth_copy_cert_status-req_id=458910231
[1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1195] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=458910231
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 458910231, len=2536
[1555] destroy_auth_cert_session-id=458910231
[1041] fnbamd_cert_auth_uninit-req_id=458910231
[2487] handle_req-Rcvd auth_cert req id=458910232, len=1139, opt=6
[983] __cert_auth_ctx_init-req_id=458910232, opt=6
[103] __cert_chg_st- 'Init'
[156] fnbamd_cert_load_certs_from_req-1 cert(s) in req.
[669] __cert_init-req_id=458910232
[718] __cert_build_chain-req_id=458910232
[273] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[291] fnbamd_chain_build-Following depth 0
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_2')
[291] fnbamd_chain_build-Following depth 1
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_1')
[291] fnbamd_chain_build-Following depth 2
[305] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[840] __cert_verify-req_id=458910232
[841] __cert_verify-Chain is complete.
[486] fnbamd_cert_verify-Chain number:3
[500] fnbamd_cert_verify-Following cert chain depth 0
[573] fnbamd_cert_verify-Issuer found: CA_Cert_2 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 1
[573] fnbamd_cert_verify-Issuer found: CA_Cert_1 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 2
[675] fnbamd_cert_check_group_list-checking group with name 'ldap-peer'
[490] __check_add_peer-check 'ldap-peer'
[77] fnbamd_peer_ldap_push-Check LDAP setting of peer user 'ldap-peer'
[497] __check_add_peer-'ldap-peer' check ret:pending
[709] fnbamd_cert_check_group_list-LDAP servers
[712] fnbamd_cert_check_group_list- 'DC01', (Principle-Name), ref=2
[191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[738] fnbamd_cert_check_group_list-Peer users
[741] fnbamd_cert_check_group_list- 'ldap-peer' ('DC01','N/A')
[876] __cert_verify_do_next-req_id=458910232
[99] __cert_chg_st- 'Validation' -> 'Status-Query'
[623] __cert_status_query-req_id=458910232
[419] __cert_ldap_query-req_id=458910232
[426] __cert_ldap_query-LDAP query, idx 0
[448] __cert_ldap_query-UPN = 'test.user@test.com'
[1718] fnbamd_ldap_init-search filter is: (&(userPrincipalName=test.user@test.com)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
[1728] fnbamd_ldap_init-search base is: dc=test,dc=loc
[115] fnbamd_dns_resolv_ex-DNS req ipv4 0x30d 'dc-01.test.loc'
[125] fnbamd_dns_resolv_ex-DNS req ipv6 0x230d 'dc-01.test.loc'
[137] fnbamd_dns_resolv_ex-DNS maintainer started.
[543] __cert_ocsp_query-req_id=458910232
[551] __cert_ocsp_query-Nothing to do.
[953] __fnbamd_cert_auth_run-Job pending, exit the state machine, req_id=458910232
[1691] create_auth_cert_session-fnbamd_cert_auth_init returns 4, id=458910232
[247] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x30d
[306] fnbamd_dns_parse_resp-req 0x30d: IP_Address
[1150] __fnbamd_ldap_dns_cb-Resolved DC01:dc-01.test.loc to IP_Address, cur stack size:1
[925] __fnbamd_ldap_get_next_addr-
[1155] __fnbamd_ldap_dns_cb-Connection starts DC01:dc-01.test.loc, addr IP_Address over SSL
[880] __fnbamd_ldap_start_conn-Still connecting IP_Address.
[247] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x230d
[266] fnbamd_dns_parse_resp-req 0x30d: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
[35] __fnbamd_dns_req_del-DNS req 0x30d (0x1108b9c0) is removed. Current total: 2
[47] __fnbamd_dns_req_del-DNS maintainer stopped.
[1150] __fnbamd_ldap_dns_cb-Resolved DC01:dc-01.test.loc to ::, cur stack size:0
[1108] __ldap_connect-tcps_connect(IP_Address) is established.
[986] __ldap_rxtx-state 3(Admin Binding)
[363] __ldap_build_bind_req-Binding to 'CN=svc.test,OU=Test3,OU=Test2,OU=Test,DC=test,DC=loc'
[1083] fnbamd_ldap_send-sending 96 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 1
[986] __ldap_rxtx-state 4(Admin Bind resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 14
[1306] fnbamd_ldap_recv-Response len: 16, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
[1023] fnbamd_ldap_parse_response-ret=0
[1053] __ldap_rxtx-Change state to 'DN search'
[986] __ldap_rxtx-state 11(DN search)
[750] fnbamd_ldap_build_dn_search_req-base:'dc=test,dc=loc' filter:(&(userPrincipalName=test.user@test.com)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
[1083] fnbamd_ldap_send-sending 143 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 2
[986] __ldap_rxtx-state 12(DN search resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 78
[1306] fnbamd_ldap_recv-Response len: 80, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-entry
[1023] fnbamd_ldap_parse_response-ret=0
[1226] __fnbamd_ldap_dn_entry-Get DN 'CN=test.user,OU=Test3,OU=Test2,OU=Test,DC=test,DC=com'
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 71
[1306] fnbamd_ldap_recv-Response len: 73, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 71
[1306] fnbamd_ldap_recv-Response len: 73, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 55
[1306] fnbamd_ldap_recv-Response len: 57, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 14
[1306] fnbamd_ldap_recv-Response len: 16, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result
[1023] fnbamd_ldap_parse_response-ret=0
[621] __ldap_membership_next-Auth accepted
[1053] __ldap_rxtx-Change state to 'Done'
[986] __ldap_rxtx-state 23(Done)
[1083] fnbamd_ldap_send-sending 7 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 3
[785] __ldap_done-svr 'DC01'
[755] __ldap_destroy-
[724] __ldap_stop-Conn with IP_Address destroyed.
[377] __cert_ldap_query_cb-LDAP ret=0, server='DC01', req_id=458910232
[388] __cert_ldap_query_cb-Matched peer 'ldap-peer'
[755] __ldap_destroy-
[271] __cert_resume-req_id=458910232
[99] __cert_chg_st- 'Status-Query' -> 'Done'
[921] __cert_done-req_id=458910232
[1654] fnbamd_auth_session_done-Session done, id=458910232
[966] __fnbamd_cert_auth_run-Exit, req_id=458910232
[1645] __auth_cert_session_done-id=458910232
[1610] auth_cert_success-id=458910232
[1068] fnbamd_cert_auth_copy_cert_status-req_id=458910232
[1076] fnbamd_cert_auth_copy_cert_status-Matched peer user 'ldap-peer'
[833] fnbamd_cert_check_matched_groups-checking group with name 'ldap-peer'
[895] fnbamd_cert_check_matched_groups-matched
[1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1195] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=458910232
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 458910232, len=2547
[1555] destroy_auth_cert_session-id=458910232
[1041] fnbamd_cert_auth_uninit-req_id=458910232
[755] __ldap_destroy-
[131] fnbamd_peer_ctx_free-Freeing peer ctx 'ldap-peer'
[1764] fnbamd_ldap_auth_ctx_free-Freeing 'DC01' ctx
ike shrank heap by 143360 bytes
local auth is done with user 'test.user', ret=1
ike shrank heap by 159744 bytes
ike change cfg 1 interface 0 router 0 certs 0
[2435] fnbamd_peer_user_free-Freeing 'ios-test-dialup_peer'
[2435] fnbamd_peer_user_free-Freeing 'ldap-peer'
[2509] fnbamd_peer_user_create-'ldap-peer'
[2528] fnbamd_peer_user_create-Peer users are created, vfid=0, total=1
ike config update start
ike ike_embryonic_conn_limit = 10000
ike ikecrypt DH multi-process enabled
ike config update done
ike 0: cache rebuild done
ike 0:*: ignoring request to establish IPsec SA, interface is administratively down
ike shrank heap by 135168 bytes
local auth is done with user 'test.user', ret=1
ike shrank heap by 159744 bytes
ike change cfg 1 interface 0 router 0 certs 0
1 - Groups in Phase-1? or in acl?
2 -
[718] __cert_build_chain-req_id=458910229
[273] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[291] fnbamd_chain_build-Following depth 0
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_2')
[291] fnbamd_chain_build-Following depth 1
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_1')
[291] fnbamd_chain_build-Following depth 2
[305] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[840] __cert_verify-req_id=458910229
[841] __cert_verify-Chain is complete.
[486] fnbamd_cert_verify-Chain number:3
[500] fnbamd_cert_verify-Following cert chain depth 0
[573] fnbamd_cert_verify-Issuer found: CA_Cert_2 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 1
[573] fnbamd_cert_verify-Issuer found: CA_Cert_1 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 2
[675] fnbamd_cert_check_group_list-checking group with name 'ldap-peer'
[490] __check_add_peer-check 'ldap-peer'
[77] fnbamd_peer_ldap_push-Check LDAP setting of peer user 'ldap-peer'
[497] __check_add_peer-'ldap-peer' check ret:pending
[709] fnbamd_cert_check_group_list-LDAP servers
[712] fnbamd_cert_check_group_list- 'DC01', (Principle-Name), ref=2
[191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[738] fnbamd_cert_check_group_list-Peer users
[741] fnbamd_cert_check_group_list- 'ldap-peer' ('DC01','N/A')
[876] __cert_verify_do_next-req_id=458910229
[99] __cert_chg_st- 'Validation' -> 'Status-Query'
[623] __cert_status_query-req_id=458910229
[419] __cert_ldap_query-req_id=458910229
[426] __cert_ldap_query-LDAP query, idx 0
[448] __cert_ldap_query-UPN = 'test.user@test.com'
[1718] fnbamd_ldap_init-search filter is: (&(userPrincipalName=test.user@test.com)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
[1728] fnbamd_ldap_init-search base is: dc=test,dc=loc
[115] fnbamd_dns_resolv_ex-DNS req ipv4 0x30c 'dc-01.test.loc'
[125] fnbamd_dns_resolv_ex-DNS req ipv6 0x230c 'dc-01.test.loc'
[137] fnbamd_dns_resolv_ex-DNS maintainer started.
[543] __cert_ocsp_query-req_id=458910229
[551] __cert_ocsp_query-Nothing to do.
[953] __fnbamd_cert_auth_run-Job pending, exit the state machine, req_id=458910229
[1691] create_auth_cert_session-fnbamd_cert_auth_init returns 4, id=458910229
[247] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x30c
[306] fnbamd_dns_parse_resp-req 0x30c: IP_Address
[1150] __fnbamd_ldap_dns_cb-Resolved DC01:dc-01.test.loc to IP_Address, cur stack size:1
[925] __fnbamd_ldap_get_next_addr-
[1155] __fnbamd_ldap_dns_cb-Connection starts DC01:dc-01.test.loc, addr IP_Address over SSL
[880] __fnbamd_ldap_start_conn-Still connecting IP_Address.
[247] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x230c
[266] fnbamd_dns_parse_resp-req 0x30c: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
[35] __fnbamd_dns_req_del-DNS req 0x30c (0x1108b9c0) is removed. Current total: 2
[47] __fnbamd_dns_req_del-DNS maintainer stopped.
[1150] __fnbamd_ldap_dns_cb-Resolved DC01:dc-01.test.loc to ::, cur stack size:0
[1108] __ldap_connect-tcps_connect(IP_Address) is established.
[986] __ldap_rxtx-state 3(Admin Binding)
[363] __ldap_build_bind_req-Binding to 'CN=svc.test,OU=Test3,OU=Test2,OU=Test,DC=test,DC=loc'
[1083] fnbamd_ldap_send-sending 96 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 1
[986] __ldap_rxtx-state 4(Admin Bind resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 14
[1306] fnbamd_ldap_recv-Response len: 16, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
[1023] fnbamd_ldap_parse_response-ret=0
[1053] __ldap_rxtx-Change state to 'DN search'
[986] __ldap_rxtx-state 11(DN search)
[750] fnbamd_ldap_build_dn_search_req-base:'dc=test,dc=loc' filter:(&(userPrincipalName=test.user@test.com)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
[1083] fnbamd_ldap_send-sending 143 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 2
[986] __ldap_rxtx-state 12(DN search resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 78
[1306] fnbamd_ldap_recv-Response len: 80, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-entry
[1023] fnbamd_ldap_parse_response-ret=0
[1226] __fnbamd_ldap_dn_entry-Get DN 'CN=test.user,OU=Test3,OU=Test2,OU=Test,DC=test,DC=com'
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 71
[1306] fnbamd_ldap_recv-Response len: 73, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 71
[1306] fnbamd_ldap_recv-Response len: 73, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 55
[1306] fnbamd_ldap_recv-Response len: 57, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 14
[1306] fnbamd_ldap_recv-Response len: 16, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result
[1023] fnbamd_ldap_parse_response-ret=0
[621] __ldap_membership_next-Auth accepted
[1053] __ldap_rxtx-Change state to 'Done'
[986] __ldap_rxtx-state 23(Done)
[1083] fnbamd_ldap_send-sending 7 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 3
[785] __ldap_done-svr 'DC01'
[755] __ldap_destroy-
[724] __ldap_stop-Conn with IP_Address destroyed.
[377] __cert_ldap_query_cb-LDAP ret=0, server='DC01', req_id=458910229
[388] __cert_ldap_query_cb-Matched peer 'ldap-peer'
[755] __ldap_destroy-
[271] __cert_resume-req_id=458910229
[99] __cert_chg_st- 'Status-Query' -> 'Done'
[921] __cert_done-req_id=458910229
[1654] fnbamd_auth_session_done-Session done, id=458910229
[966] __fnbamd_cert_auth_run-Exit, req_id=458910229
[1645] __auth_cert_session_done-id=458910229
[1610] auth_cert_success-id=458910229
[1068] fnbamd_cert_auth_copy_cert_status-req_id=458910229
[1076] fnbamd_cert_auth_copy_cert_status-Matched peer user 'ldap-peer'
[833] fnbamd_cert_check_matched_groups-checking group with name 'ldap-peer'
[895] fnbamd_cert_check_matched_groups-matched
[1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1195] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=458910229
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 458910229, len=2547
[1555] destroy_auth_cert_session-id=458910229
[1041] fnbamd_cert_auth_uninit-req_id=458910229
[755] __ldap_destroy-
[131] fnbamd_peer_ctx_free-Freeing peer ctx 'ldap-peer'
[1764] fnbamd_ldap_auth_ctx_free-Freeing 'DC01' ctx
ike shrank heap by 143360 bytes
local auth is done with user 'test.user', ret=1
ike shrank heap by 159744 bytes
[2487] handle_req-Rcvd auth_cert req id=458910230, len=1128, opt=0
[983] __cert_auth_ctx_init-req_id=458910230, opt=0
[103] __cert_chg_st- 'Init'
[156] fnbamd_cert_load_certs_from_req-3 cert(s) in req.
[669] __cert_init-req_id=458910230
[718] __cert_build_chain-req_id=458910230
[273] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[291] fnbamd_chain_build-Following depth 0
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_2')
[291] fnbamd_chain_build-Following depth 1
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_1')
[291] fnbamd_chain_build-Following depth 2
[305] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[840] __cert_verify-req_id=458910230
[841] __cert_verify-Chain is complete.
[486] fnbamd_cert_verify-Chain number:3
[500] fnbamd_cert_verify-Following cert chain depth 0
[573] fnbamd_cert_verify-Issuer found: CA_Cert_2 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 1
[573] fnbamd_cert_verify-Issuer found: CA_Cert_1 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 2
[657] fnbamd_cert_check_group_list-group list is empty, match any!
[191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[876] __cert_verify_do_next-req_id=458910230
[99] __cert_chg_st- 'Validation' -> 'Done'
[921] __cert_done-req_id=458910230
[1654] fnbamd_auth_session_done-Session done, id=458910230
[966] __fnbamd_cert_auth_run-Exit, req_id=458910230
[1691] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=458910230
[1610] auth_cert_success-id=458910230
[1068] fnbamd_cert_auth_copy_cert_status-req_id=458910230
[1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1195] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=458910230
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 458910230, len=2536
[1555] destroy_auth_cert_session-id=458910230
[1041] fnbamd_cert_auth_uninit-req_id=458910230
local auth is done with user 'test.user', ret=1
ike shrank heap by 159744 bytes
[2487] handle_req-Rcvd auth_cert req id=458910231, len=1128, opt=0
[983] __cert_auth_ctx_init-req_id=458910231, opt=0
[103] __cert_chg_st- 'Init'
[156] fnbamd_cert_load_certs_from_req-3 cert(s) in req.
[669] __cert_init-req_id=458910231
[718] __cert_build_chain-req_id=458910231
[273] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[291] fnbamd_chain_build-Following depth 0
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_2')
[291] fnbamd_chain_build-Following depth 1
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_1')
[291] fnbamd_chain_build-Following depth 2
[305] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[840] __cert_verify-req_id=458910231
[841] __cert_verify-Chain is complete.
[486] fnbamd_cert_verify-Chain number:3
[500] fnbamd_cert_verify-Following cert chain depth 0
[573] fnbamd_cert_verify-Issuer found: CA_Cert_2 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 1
[573] fnbamd_cert_verify-Issuer found: CA_Cert_1 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 2
[657] fnbamd_cert_check_group_list-group list is empty, match any!
[191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[876] __cert_verify_do_next-req_id=458910231
[99] __cert_chg_st- 'Validation' -> 'Done'
[921] __cert_done-req_id=458910231
[1654] fnbamd_auth_session_done-Session done, id=458910231
[966] __fnbamd_cert_auth_run-Exit, req_id=458910231
[1691] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=458910231
[1610] auth_cert_success-id=458910231
[1068] fnbamd_cert_auth_copy_cert_status-req_id=458910231
[1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1195] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=458910231
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 458910231, len=2536
[1555] destroy_auth_cert_session-id=458910231
[1041] fnbamd_cert_auth_uninit-req_id=458910231
[2487] handle_req-Rcvd auth_cert req id=458910232, len=1139, opt=6
[983] __cert_auth_ctx_init-req_id=458910232, opt=6
[103] __cert_chg_st- 'Init'
[156] fnbamd_cert_load_certs_from_req-1 cert(s) in req.
[669] __cert_init-req_id=458910232
[718] __cert_build_chain-req_id=458910232
[273] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[291] fnbamd_chain_build-Following depth 0
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_2')
[291] fnbamd_chain_build-Following depth 1
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_1')
[291] fnbamd_chain_build-Following depth 2
[305] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[840] __cert_verify-req_id=458910232
[841] __cert_verify-Chain is complete.
[486] fnbamd_cert_verify-Chain number:3
[500] fnbamd_cert_verify-Following cert chain depth 0
[573] fnbamd_cert_verify-Issuer found: CA_Cert_2 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 1
[573] fnbamd_cert_verify-Issuer found: CA_Cert_1 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 2
[675] fnbamd_cert_check_group_list-checking group with name 'ldap-peer'
[490] __check_add_peer-check 'ldap-peer'
[77] fnbamd_peer_ldap_push-Check LDAP setting of peer user 'ldap-peer'
[497] __check_add_peer-'ldap-peer' check ret:pending
[709] fnbamd_cert_check_group_list-LDAP servers
[712] fnbamd_cert_check_group_list- 'DC01', (Principle-Name), ref=2
[191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[738] fnbamd_cert_check_group_list-Peer users
[741] fnbamd_cert_check_group_list- 'ldap-peer' ('DC01','N/A')
[876] __cert_verify_do_next-req_id=458910232
[99] __cert_chg_st- 'Validation' -> 'Status-Query'
[623] __cert_status_query-req_id=458910232
[419] __cert_ldap_query-req_id=458910232
[426] __cert_ldap_query-LDAP query, idx 0
[448] __cert_ldap_query-UPN = 'test.user@test.com'
[1718] fnbamd_ldap_init-search filter is: (&(userPrincipalName=test.user@test.com)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
[1728] fnbamd_ldap_init-search base is: dc=test,dc=loc
[115] fnbamd_dns_resolv_ex-DNS req ipv4 0x30d 'dc-01.test.loc'
[125] fnbamd_dns_resolv_ex-DNS req ipv6 0x230d 'dc-01.test.loc'
[137] fnbamd_dns_resolv_ex-DNS maintainer started.
[543] __cert_ocsp_query-req_id=458910232
[551] __cert_ocsp_query-Nothing to do.
[953] __fnbamd_cert_auth_run-Job pending, exit the state machine, req_id=458910232
[1691] create_auth_cert_session-fnbamd_cert_auth_init returns 4, id=458910232
[247] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x30d
[306] fnbamd_dns_parse_resp-req 0x30d: IP_Address
[1150] __fnbamd_ldap_dns_cb-Resolved DC01:dc-01.test.loc to IP_Address, cur stack size:1
[925] __fnbamd_ldap_get_next_addr-
[1155] __fnbamd_ldap_dns_cb-Connection starts DC01:dc-01.test.loc, addr IP_Address over SSL
[880] __fnbamd_ldap_start_conn-Still connecting IP_Address.
[247] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x230d
[266] fnbamd_dns_parse_resp-req 0x30d: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
[35] __fnbamd_dns_req_del-DNS req 0x30d (0x1108b9c0) is removed. Current total: 2
[47] __fnbamd_dns_req_del-DNS maintainer stopped.
[1150] __fnbamd_ldap_dns_cb-Resolved DC01:dc-01.test.loc to ::, cur stack size:0
[1108] __ldap_connect-tcps_connect(IP_Address) is established.
[986] __ldap_rxtx-state 3(Admin Binding)
[363] __ldap_build_bind_req-Binding to 'CN=svc.test,OU=Test3,OU=Test2,OU=Test,DC=test,DC=loc'
[1083] fnbamd_ldap_send-sending 96 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 1
[986] __ldap_rxtx-state 4(Admin Bind resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 14
[1306] fnbamd_ldap_recv-Response len: 16, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
[1023] fnbamd_ldap_parse_response-ret=0
[1053] __ldap_rxtx-Change state to 'DN search'
[986] __ldap_rxtx-state 11(DN search)
[750] fnbamd_ldap_build_dn_search_req-base:'dc=test,dc=loc' filter:(&(userPrincipalName=test.user@test.com)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
[1083] fnbamd_ldap_send-sending 143 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 2
[986] __ldap_rxtx-state 12(DN search resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 78
[1306] fnbamd_ldap_recv-Response len: 80, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-entry
[1023] fnbamd_ldap_parse_response-ret=0
[1226] __fnbamd_ldap_dn_entry-Get DN 'CN=test.user,OU=Test3,OU=Test2,OU=Test,DC=test,DC=com'
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 71
[1306] fnbamd_ldap_recv-Response len: 73, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 71
[1306] fnbamd_ldap_recv-Response len: 73, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 55
[1306] fnbamd_ldap_recv-Response len: 57, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 14
[1306] fnbamd_ldap_recv-Response len: 16, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result
[1023] fnbamd_ldap_parse_response-ret=0
[621] __ldap_membership_next-Auth accepted
[1053] __ldap_rxtx-Change state to 'Done'
[986] __ldap_rxtx-state 23(Done)
[1083] fnbamd_ldap_send-sending 7 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 3
[785] __ldap_done-svr 'DC01'
[755] __ldap_destroy-
[724] __ldap_stop-Conn with IP_Address destroyed.
[377] __cert_ldap_query_cb-LDAP ret=0, server='DC01', req_id=458910232
[388] __cert_ldap_query_cb-Matched peer 'ldap-peer'
[755] __ldap_destroy-
[271] __cert_resume-req_id=458910232
[99] __cert_chg_st- 'Status-Query' -> 'Done'
[921] __cert_done-req_id=458910232
[1654] fnbamd_auth_session_done-Session done, id=458910232
[966] __fnbamd_cert_auth_run-Exit, req_id=458910232
[1645] __auth_cert_session_done-id=458910232
[1610] auth_cert_success-id=458910232
[1068] fnbamd_cert_auth_copy_cert_status-req_id=458910232
[1076] fnbamd_cert_auth_copy_cert_status-Matched peer user 'ldap-peer'
[833] fnbamd_cert_check_matched_groups-checking group with name 'ldap-peer'
[895] fnbamd_cert_check_matched_groups-matched
[1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1195] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=458910232
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 458910232, len=2547
[1555] destroy_auth_cert_session-id=458910232
[1041] fnbamd_cert_auth_uninit-req_id=458910232
[755] __ldap_destroy-
[131] fnbamd_peer_ctx_free-Freeing peer ctx 'ldap-peer'
[1764] fnbamd_ldap_auth_ctx_free-Freeing 'DC01' ctx
ike shrank heap by 143360 bytes
local auth is done with user 'test.user', ret=1
ike shrank heap by 159744 bytes
ike change cfg 1 interface 0 router 0 certs 0
[2435] fnbamd_peer_user_free-Freeing 'ios-test-dialup_peer'
[2435] fnbamd_peer_user_free-Freeing 'ldap-peer'
[2509] fnbamd_peer_user_create-'ldap-peer'
[2528] fnbamd_peer_user_create-Peer users are created, vfid=0, total=1
ike config update start
ike ike_embryonic_conn_limit = 10000
ike ikecrypt DH multi-process enabled
ike config update done
ike 0: cache rebuild done
ike 0:*: ignoring request to establish IPsec SA, interface is administratively down
ike shrank heap by 135168 bytes
local auth is done with user 'test.user', ret=1
ike shrank heap by 159744 bytes
ike change cfg 1 interface 0 router 0 certs 0
1: Some user/group(s) need to be included either in the phase1 configuration (set xauthusrgrp ...) OR in firewall policies for this IPsec tunnel as source-interface. (one or the other, never both!)
2: The certificate validation is OK and a success:
[99] __cert_chg_st- 'Status-Query' -> 'Done'
[921] __cert_done-req_id=458910229
[1654] fnbamd_auth_session_done-Session done, id=458910229
[966] __fnbamd_cert_auth_run-Exit, req_id=458910229
[1645] __auth_cert_session_done-id=458910229
[1610] auth_cert_success-id=458910229
[1068] fnbamd_cert_auth_copy_cert_status-req_id=458910229
[1076] fnbamd_cert_auth_copy_cert_status-Matched peer user 'ldap-peer'
[833] fnbamd_cert_check_matched_groups-checking group with name 'ldap-peer'
[895] fnbamd_cert_check_matched_groups-matched
[1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1195] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=458910229
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 458910229, len=2547
& the same for the second attempt seen in the debugs.
Try checking IKE debug output again. (or share it here if you need help)
I have this rule, is it enough?:
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.