Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FG_User2
New Contributor

Created on ‎11-25-2024 06:39 AM

Dial-UP VPN

Hello, We have virtual Fortigate Deployed in VMWARE, We are trying to configure Dial-up VPN with cert authentication, but we get "XAUTH authentication failed" error, also in debug we see "fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked"

 

What it can be and how fix? 

Labels:
539
0 Kudos
14 REPLIES 14
funkylicious
SuperUser
SuperUser

Created on ‎11-25-2024 07:02 AM

Hi,

Have you followed the instructions from this guide ?

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/443323/dialup-ipsec-vpn-with-certificat...

 

"jack of all trades, master of none"
"jack of all trades, master of none"
369
0 Kudos
FG_User2
New Contributor
In response to funkylicious

Created on ‎11-25-2024 07:45 AM

Yes, did it as showed in guide 

349
0 Kudos
pminarik
Staff
Staff

Created on ‎11-25-2024 07:35 AM

It would help if you could share a sanitized CLI config of your phase1 settings for the tunnel.

 

# show vpn ipsec phase1-interface <tunnel-name>

 

Feel free to redact IPs/hostnames/PSKs, but please leave the rest as-is.

[ corrections always welcome ]
358
0 Kudos
FG_User2
New Contributor
In response to pminarik

Created on ‎11-25-2024 07:47 AM

config vpn ipsec phase1-interface
edit "ios-test-dialup"
set type dynamic
set interface *
set authmethod signature
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 *
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set dhgrp 14 5 2
set xauthtype auto
set certificate *
set peer "ldap-peer"
set ipv4-start-ip *
set ipv4-end-ip *
set ipv4-split-include "ios-test-dialup_split"
set unity-support disable

348
0 Kudos
pminarik
Staff
Staff
In response to FG_User2

Created on ‎11-25-2024 07:51 AM

Two points I have feedback on:

  1. You have XAUTH enabled, but no groups shown here. Do you have some in firewall policies created for this tunnel? (if not, XAUTH will fail for not having any users/groups configured to be accepted)
  2. For the certificate validation, we will need more output from fnbamd process for context.
[ corrections always welcome ]
342
0 Kudos
FG_User2
New Contributor
In response to pminarik

Created on ‎11-25-2024 08:06 AM Edited on ‎11-25-2024 08:09 AM

1 - Groups in phase-1 or access rule policy? 
2 - [718] __cert_build_chain-req_id=458910229
[273] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[291] fnbamd_chain_build-Following depth 0
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_2')
[291] fnbamd_chain_build-Following depth 1
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_1')
[291] fnbamd_chain_build-Following depth 2
[305] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[840] __cert_verify-req_id=458910229
[841] __cert_verify-Chain is complete.
[486] fnbamd_cert_verify-Chain number:3
[500] fnbamd_cert_verify-Following cert chain depth 0
[573] fnbamd_cert_verify-Issuer found: CA_Cert_2 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 1
[573] fnbamd_cert_verify-Issuer found: CA_Cert_1 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 2
[675] fnbamd_cert_check_group_list-checking group with name 'ldap-peer'
[490] __check_add_peer-check 'ldap-peer'
[77] fnbamd_peer_ldap_push-Check LDAP setting of peer user 'ldap-peer'
[497] __check_add_peer-'ldap-peer' check ret:pending
[709] fnbamd_cert_check_group_list-LDAP servers
[712] fnbamd_cert_check_group_list- 'DC01', (Principle-Name), ref=2
[191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[738] fnbamd_cert_check_group_list-Peer users
[741] fnbamd_cert_check_group_list- 'ldap-peer' ('DC01','N/A')
[876] __cert_verify_do_next-req_id=458910229
[99] __cert_chg_st- 'Validation' -> 'Status-Query'
[623] __cert_status_query-req_id=458910229
[419] __cert_ldap_query-req_id=458910229
[426] __cert_ldap_query-LDAP query, idx 0
[448] __cert_ldap_query-UPN = 'test.user@test.com'
[1718] fnbamd_ldap_init-search filter is: (&(userPrincipalName=test.user@test.com)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
[1728] fnbamd_ldap_init-search base is: dc=test,dc=loc
[115] fnbamd_dns_resolv_ex-DNS req ipv4 0x30c 'dc-01.test.loc'
[125] fnbamd_dns_resolv_ex-DNS req ipv6 0x230c 'dc-01.test.loc'
[137] fnbamd_dns_resolv_ex-DNS maintainer started.
[543] __cert_ocsp_query-req_id=458910229
[551] __cert_ocsp_query-Nothing to do.
[953] __fnbamd_cert_auth_run-Job pending, exit the state machine, req_id=458910229
[1691] create_auth_cert_session-fnbamd_cert_auth_init returns 4, id=458910229
[247] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x30c
[306] fnbamd_dns_parse_resp-req 0x30c: IP_Address
[1150] __fnbamd_ldap_dns_cb-Resolved DC01:dc-01.test.loc to IP_Address, cur stack size:1
[925] __fnbamd_ldap_get_next_addr-
[1155] __fnbamd_ldap_dns_cb-Connection starts DC01:dc-01.test.loc, addr IP_Address over SSL
[880] __fnbamd_ldap_start_conn-Still connecting IP_Address.
[247] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x230c
[266] fnbamd_dns_parse_resp-req 0x30c: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
[35] __fnbamd_dns_req_del-DNS req 0x30c (0x1108b9c0) is removed. Current total: 2
[47] __fnbamd_dns_req_del-DNS maintainer stopped.
[1150] __fnbamd_ldap_dns_cb-Resolved DC01:dc-01.test.loc to ::, cur stack size:0
[1108] __ldap_connect-tcps_connect(IP_Address) is established.
[986] __ldap_rxtx-state 3(Admin Binding)
[363] __ldap_build_bind_req-Binding to 'CN=svc.test,OU=Test3,OU=Test2,OU=Test,DC=test,DC=loc'
[1083] fnbamd_ldap_send-sending 96 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 1
[986] __ldap_rxtx-state 4(Admin Bind resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 14
[1306] fnbamd_ldap_recv-Response len: 16, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
[1023] fnbamd_ldap_parse_response-ret=0
[1053] __ldap_rxtx-Change state to 'DN search'
[986] __ldap_rxtx-state 11(DN search)
[750] fnbamd_ldap_build_dn_search_req-base:'dc=test,dc=loc' filter:(&(userPrincipalName=test.user@test.com)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
[1083] fnbamd_ldap_send-sending 143 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 2
[986] __ldap_rxtx-state 12(DN search resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 78
[1306] fnbamd_ldap_recv-Response len: 80, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-entry
[1023] fnbamd_ldap_parse_response-ret=0
[1226] __fnbamd_ldap_dn_entry-Get DN 'CN=test.user,OU=Test3,OU=Test2,OU=Test,DC=test,DC=com'
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 71
[1306] fnbamd_ldap_recv-Response len: 73, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 71
[1306] fnbamd_ldap_recv-Response len: 73, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 55
[1306] fnbamd_ldap_recv-Response len: 57, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 14
[1306] fnbamd_ldap_recv-Response len: 16, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result
[1023] fnbamd_ldap_parse_response-ret=0
[621] __ldap_membership_next-Auth accepted
[1053] __ldap_rxtx-Change state to 'Done'
[986] __ldap_rxtx-state 23(Done)
[1083] fnbamd_ldap_send-sending 7 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 3
[785] __ldap_done-svr 'DC01'
[755] __ldap_destroy-
[724] __ldap_stop-Conn with IP_Address destroyed.
[377] __cert_ldap_query_cb-LDAP ret=0, server='DC01', req_id=458910229
[388] __cert_ldap_query_cb-Matched peer 'ldap-peer'
[755] __ldap_destroy-
[271] __cert_resume-req_id=458910229
[99] __cert_chg_st- 'Status-Query' -> 'Done'
[921] __cert_done-req_id=458910229
[1654] fnbamd_auth_session_done-Session done, id=458910229
[966] __fnbamd_cert_auth_run-Exit, req_id=458910229
[1645] __auth_cert_session_done-id=458910229
[1610] auth_cert_success-id=458910229
[1068] fnbamd_cert_auth_copy_cert_status-req_id=458910229
[1076] fnbamd_cert_auth_copy_cert_status-Matched peer user 'ldap-peer'
[833] fnbamd_cert_check_matched_groups-checking group with name 'ldap-peer'
[895] fnbamd_cert_check_matched_groups-matched
[1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1195] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=458910229
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 458910229, len=2547
[1555] destroy_auth_cert_session-id=458910229
[1041] fnbamd_cert_auth_uninit-req_id=458910229
[755] __ldap_destroy-
[131] fnbamd_peer_ctx_free-Freeing peer ctx 'ldap-peer'
[1764] fnbamd_ldap_auth_ctx_free-Freeing 'DC01' ctx
ike shrank heap by 143360 bytes
local auth is done with user 'test.user', ret=1
ike shrank heap by 159744 bytes
[2487] handle_req-Rcvd auth_cert req id=458910230, len=1128, opt=0
[983] __cert_auth_ctx_init-req_id=458910230, opt=0
[103] __cert_chg_st- 'Init'
[156] fnbamd_cert_load_certs_from_req-3 cert(s) in req.
[669] __cert_init-req_id=458910230
[718] __cert_build_chain-req_id=458910230
[273] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[291] fnbamd_chain_build-Following depth 0
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_2')
[291] fnbamd_chain_build-Following depth 1
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_1')
[291] fnbamd_chain_build-Following depth 2
[305] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[840] __cert_verify-req_id=458910230
[841] __cert_verify-Chain is complete.
[486] fnbamd_cert_verify-Chain number:3
[500] fnbamd_cert_verify-Following cert chain depth 0
[573] fnbamd_cert_verify-Issuer found: CA_Cert_2 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 1
[573] fnbamd_cert_verify-Issuer found: CA_Cert_1 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 2
[657] fnbamd_cert_check_group_list-group list is empty, match any!
[191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[876] __cert_verify_do_next-req_id=458910230
[99] __cert_chg_st- 'Validation' -> 'Done'
[921] __cert_done-req_id=458910230
[1654] fnbamd_auth_session_done-Session done, id=458910230
[966] __fnbamd_cert_auth_run-Exit, req_id=458910230
[1691] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=458910230
[1610] auth_cert_success-id=458910230
[1068] fnbamd_cert_auth_copy_cert_status-req_id=458910230
[1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1195] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=458910230
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 458910230, len=2536
[1555] destroy_auth_cert_session-id=458910230
[1041] fnbamd_cert_auth_uninit-req_id=458910230
local auth is done with user 'test.user', ret=1
ike shrank heap by 159744 bytes
[2487] handle_req-Rcvd auth_cert req id=458910231, len=1128, opt=0
[983] __cert_auth_ctx_init-req_id=458910231, opt=0
[103] __cert_chg_st- 'Init'
[156] fnbamd_cert_load_certs_from_req-3 cert(s) in req.
[669] __cert_init-req_id=458910231
[718] __cert_build_chain-req_id=458910231
[273] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[291] fnbamd_chain_build-Following depth 0
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_2')
[291] fnbamd_chain_build-Following depth 1
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_1')
[291] fnbamd_chain_build-Following depth 2
[305] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[840] __cert_verify-req_id=458910231
[841] __cert_verify-Chain is complete.
[486] fnbamd_cert_verify-Chain number:3
[500] fnbamd_cert_verify-Following cert chain depth 0
[573] fnbamd_cert_verify-Issuer found: CA_Cert_2 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 1
[573] fnbamd_cert_verify-Issuer found: CA_Cert_1 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 2
[657] fnbamd_cert_check_group_list-group list is empty, match any!
[191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[876] __cert_verify_do_next-req_id=458910231
[99] __cert_chg_st- 'Validation' -> 'Done'
[921] __cert_done-req_id=458910231
[1654] fnbamd_auth_session_done-Session done, id=458910231
[966] __fnbamd_cert_auth_run-Exit, req_id=458910231
[1691] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=458910231
[1610] auth_cert_success-id=458910231
[1068] fnbamd_cert_auth_copy_cert_status-req_id=458910231
[1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1195] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=458910231
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 458910231, len=2536
[1555] destroy_auth_cert_session-id=458910231
[1041] fnbamd_cert_auth_uninit-req_id=458910231
[2487] handle_req-Rcvd auth_cert req id=458910232, len=1139, opt=6
[983] __cert_auth_ctx_init-req_id=458910232, opt=6
[103] __cert_chg_st- 'Init'
[156] fnbamd_cert_load_certs_from_req-1 cert(s) in req.
[669] __cert_init-req_id=458910232
[718] __cert_build_chain-req_id=458910232
[273] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[291] fnbamd_chain_build-Following depth 0
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_2')
[291] fnbamd_chain_build-Following depth 1
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_1')
[291] fnbamd_chain_build-Following depth 2
[305] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[840] __cert_verify-req_id=458910232
[841] __cert_verify-Chain is complete.
[486] fnbamd_cert_verify-Chain number:3
[500] fnbamd_cert_verify-Following cert chain depth 0
[573] fnbamd_cert_verify-Issuer found: CA_Cert_2 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 1
[573] fnbamd_cert_verify-Issuer found: CA_Cert_1 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 2
[675] fnbamd_cert_check_group_list-checking group with name 'ldap-peer'
[490] __check_add_peer-check 'ldap-peer'
[77] fnbamd_peer_ldap_push-Check LDAP setting of peer user 'ldap-peer'
[497] __check_add_peer-'ldap-peer' check ret:pending
[709] fnbamd_cert_check_group_list-LDAP servers
[712] fnbamd_cert_check_group_list- 'DC01', (Principle-Name), ref=2
[191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[738] fnbamd_cert_check_group_list-Peer users
[741] fnbamd_cert_check_group_list- 'ldap-peer' ('DC01','N/A')
[876] __cert_verify_do_next-req_id=458910232
[99] __cert_chg_st- 'Validation' -> 'Status-Query'
[623] __cert_status_query-req_id=458910232
[419] __cert_ldap_query-req_id=458910232
[426] __cert_ldap_query-LDAP query, idx 0
[448] __cert_ldap_query-UPN = 'test.user@test.com'
[1718] fnbamd_ldap_init-search filter is: (&(userPrincipalName=test.user@test.com)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
[1728] fnbamd_ldap_init-search base is: dc=test,dc=loc
[115] fnbamd_dns_resolv_ex-DNS req ipv4 0x30d 'dc-01.test.loc'
[125] fnbamd_dns_resolv_ex-DNS req ipv6 0x230d 'dc-01.test.loc'
[137] fnbamd_dns_resolv_ex-DNS maintainer started.
[543] __cert_ocsp_query-req_id=458910232
[551] __cert_ocsp_query-Nothing to do.
[953] __fnbamd_cert_auth_run-Job pending, exit the state machine, req_id=458910232
[1691] create_auth_cert_session-fnbamd_cert_auth_init returns 4, id=458910232
[247] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x30d
[306] fnbamd_dns_parse_resp-req 0x30d: IP_Address
[1150] __fnbamd_ldap_dns_cb-Resolved DC01:dc-01.test.loc to IP_Address, cur stack size:1
[925] __fnbamd_ldap_get_next_addr-
[1155] __fnbamd_ldap_dns_cb-Connection starts DC01:dc-01.test.loc, addr IP_Address over SSL
[880] __fnbamd_ldap_start_conn-Still connecting IP_Address.
[247] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x230d
[266] fnbamd_dns_parse_resp-req 0x30d: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
[35] __fnbamd_dns_req_del-DNS req 0x30d (0x1108b9c0) is removed. Current total: 2
[47] __fnbamd_dns_req_del-DNS maintainer stopped.
[1150] __fnbamd_ldap_dns_cb-Resolved DC01:dc-01.test.loc to ::, cur stack size:0
[1108] __ldap_connect-tcps_connect(IP_Address) is established.
[986] __ldap_rxtx-state 3(Admin Binding)
[363] __ldap_build_bind_req-Binding to 'CN=svc.test,OU=Test3,OU=Test2,OU=Test,DC=test,DC=loc'
[1083] fnbamd_ldap_send-sending 96 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 1
[986] __ldap_rxtx-state 4(Admin Bind resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 14
[1306] fnbamd_ldap_recv-Response len: 16, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
[1023] fnbamd_ldap_parse_response-ret=0
[1053] __ldap_rxtx-Change state to 'DN search'
[986] __ldap_rxtx-state 11(DN search)
[750] fnbamd_ldap_build_dn_search_req-base:'dc=test,dc=loc' filter:(&(userPrincipalName=test.user@test.com)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
[1083] fnbamd_ldap_send-sending 143 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 2
[986] __ldap_rxtx-state 12(DN search resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 78
[1306] fnbamd_ldap_recv-Response len: 80, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-entry
[1023] fnbamd_ldap_parse_response-ret=0
[1226] __fnbamd_ldap_dn_entry-Get DN 'CN=test.user,OU=Test3,OU=Test2,OU=Test,DC=test,DC=com'
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 71
[1306] fnbamd_ldap_recv-Response len: 73, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 71
[1306] fnbamd_ldap_recv-Response len: 73, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 55
[1306] fnbamd_ldap_recv-Response len: 57, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 14
[1306] fnbamd_ldap_recv-Response len: 16, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result
[1023] fnbamd_ldap_parse_response-ret=0
[621] __ldap_membership_next-Auth accepted
[1053] __ldap_rxtx-Change state to 'Done'
[986] __ldap_rxtx-state 23(Done)
[1083] fnbamd_ldap_send-sending 7 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 3
[785] __ldap_done-svr 'DC01'
[755] __ldap_destroy-
[724] __ldap_stop-Conn with IP_Address destroyed.
[377] __cert_ldap_query_cb-LDAP ret=0, server='DC01', req_id=458910232
[388] __cert_ldap_query_cb-Matched peer 'ldap-peer'
[755] __ldap_destroy-
[271] __cert_resume-req_id=458910232
[99] __cert_chg_st- 'Status-Query' -> 'Done'
[921] __cert_done-req_id=458910232
[1654] fnbamd_auth_session_done-Session done, id=458910232
[966] __fnbamd_cert_auth_run-Exit, req_id=458910232
[1645] __auth_cert_session_done-id=458910232
[1610] auth_cert_success-id=458910232
[1068] fnbamd_cert_auth_copy_cert_status-req_id=458910232
[1076] fnbamd_cert_auth_copy_cert_status-Matched peer user 'ldap-peer'
[833] fnbamd_cert_check_matched_groups-checking group with name 'ldap-peer'
[895] fnbamd_cert_check_matched_groups-matched
[1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1195] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=458910232
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 458910232, len=2547
[1555] destroy_auth_cert_session-id=458910232
[1041] fnbamd_cert_auth_uninit-req_id=458910232
[755] __ldap_destroy-
[131] fnbamd_peer_ctx_free-Freeing peer ctx 'ldap-peer'
[1764] fnbamd_ldap_auth_ctx_free-Freeing 'DC01' ctx
ike shrank heap by 143360 bytes
local auth is done with user 'test.user', ret=1
ike shrank heap by 159744 bytes
ike change cfg 1 interface 0 router 0 certs 0
[2435] fnbamd_peer_user_free-Freeing 'ios-test-dialup_peer'
[2435] fnbamd_peer_user_free-Freeing 'ldap-peer'
[2509] fnbamd_peer_user_create-'ldap-peer'
[2528] fnbamd_peer_user_create-Peer users are created, vfid=0, total=1
ike config update start
ike ike_embryonic_conn_limit = 10000
ike ikecrypt DH multi-process enabled
ike config update done
ike 0: cache rebuild done
ike 0:*: ignoring request to establish IPsec SA, interface is administratively down
ike shrank heap by 135168 bytes
local auth is done with user 'test.user', ret=1
ike shrank heap by 159744 bytes
ike change cfg 1 interface 0 router 0 certs 0

212
0 Kudos
FG_User2
New Contributor
In response to pminarik

Created on ‎11-25-2024 08:17 AM

1 - Groups in Phase-1? or in acl? 
2 - 

[718] __cert_build_chain-req_id=458910229
[273] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[291] fnbamd_chain_build-Following depth 0
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_2')
[291] fnbamd_chain_build-Following depth 1
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_1')
[291] fnbamd_chain_build-Following depth 2
[305] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[840] __cert_verify-req_id=458910229
[841] __cert_verify-Chain is complete.
[486] fnbamd_cert_verify-Chain number:3
[500] fnbamd_cert_verify-Following cert chain depth 0
[573] fnbamd_cert_verify-Issuer found: CA_Cert_2 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 1
[573] fnbamd_cert_verify-Issuer found: CA_Cert_1 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 2
[675] fnbamd_cert_check_group_list-checking group with name 'ldap-peer'
[490] __check_add_peer-check 'ldap-peer'
[77] fnbamd_peer_ldap_push-Check LDAP setting of peer user 'ldap-peer'
[497] __check_add_peer-'ldap-peer' check ret:pending
[709] fnbamd_cert_check_group_list-LDAP servers
[712] fnbamd_cert_check_group_list-    'DC01', (Principle-Name), ref=2
[191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[738] fnbamd_cert_check_group_list-Peer users
[741] fnbamd_cert_check_group_list-    'ldap-peer' ('DC01','N/A')
[876] __cert_verify_do_next-req_id=458910229
[99] __cert_chg_st- 'Validation' -> 'Status-Query'
[623] __cert_status_query-req_id=458910229
[419] __cert_ldap_query-req_id=458910229
[426] __cert_ldap_query-LDAP query, idx 0
[448] __cert_ldap_query-UPN = 'test.user@test.com'
[1718] fnbamd_ldap_init-search filter is: (&(userPrincipalName=test.user@test.com)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
[1728] fnbamd_ldap_init-search base is: dc=test,dc=loc
[115] fnbamd_dns_resolv_ex-DNS req ipv4 0x30c 'dc-01.test.loc'
[125] fnbamd_dns_resolv_ex-DNS req ipv6 0x230c 'dc-01.test.loc'
[137] fnbamd_dns_resolv_ex-DNS maintainer started.
[543] __cert_ocsp_query-req_id=458910229
[551] __cert_ocsp_query-Nothing to do.
[953] __fnbamd_cert_auth_run-Job pending, exit the state machine, req_id=458910229
[1691] create_auth_cert_session-fnbamd_cert_auth_init returns 4, id=458910229
[247] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x30c
[306] fnbamd_dns_parse_resp-req 0x30c: IP_Address
[1150] __fnbamd_ldap_dns_cb-Resolved DC01:dc-01.test.loc to IP_Address, cur stack size:1
[925] __fnbamd_ldap_get_next_addr-
[1155] __fnbamd_ldap_dns_cb-Connection starts DC01:dc-01.test.loc, addr IP_Address over SSL
[880] __fnbamd_ldap_start_conn-Still connecting IP_Address.
[247] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x230c
[266] fnbamd_dns_parse_resp-req 0x30c: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
[35] __fnbamd_dns_req_del-DNS req 0x30c (0x1108b9c0) is removed. Current total: 2
[47] __fnbamd_dns_req_del-DNS maintainer stopped.
[1150] __fnbamd_ldap_dns_cb-Resolved DC01:dc-01.test.loc to ::, cur stack size:0
[1108] __ldap_connect-tcps_connect(IP_Address) is established.
[986] __ldap_rxtx-state 3(Admin Binding)
[363] __ldap_build_bind_req-Binding to 'CN=svc.test,OU=Test3,OU=Test2,OU=Test,DC=test,DC=loc'
[1083] fnbamd_ldap_send-sending 96 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 1
[986] __ldap_rxtx-state 4(Admin Bind resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 14
[1306] fnbamd_ldap_recv-Response len: 16, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
[1023] fnbamd_ldap_parse_response-ret=0
[1053] __ldap_rxtx-Change state to 'DN search'
[986] __ldap_rxtx-state 11(DN search)
[750] fnbamd_ldap_build_dn_search_req-base:'dc=test,dc=loc' filter:(&(userPrincipalName=test.user@test.com)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
[1083] fnbamd_ldap_send-sending 143 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 2
[986] __ldap_rxtx-state 12(DN search resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 78
[1306] fnbamd_ldap_recv-Response len: 80, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-entry
[1023] fnbamd_ldap_parse_response-ret=0
[1226] __fnbamd_ldap_dn_entry-Get DN 'CN=test.user,OU=Test3,OU=Test2,OU=Test,DC=test,DC=com'
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 71
[1306] fnbamd_ldap_recv-Response len: 73, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 71
[1306] fnbamd_ldap_recv-Response len: 73, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 55
[1306] fnbamd_ldap_recv-Response len: 57, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 14
[1306] fnbamd_ldap_recv-Response len: 16, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result
[1023] fnbamd_ldap_parse_response-ret=0
[621] __ldap_membership_next-Auth accepted
[1053] __ldap_rxtx-Change state to 'Done'
[986] __ldap_rxtx-state 23(Done)
[1083] fnbamd_ldap_send-sending 7 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 3
[785] __ldap_done-svr 'DC01'
[755] __ldap_destroy-
[724] __ldap_stop-Conn with IP_Address destroyed.
[377] __cert_ldap_query_cb-LDAP ret=0, server='DC01', req_id=458910229
[388] __cert_ldap_query_cb-Matched peer 'ldap-peer'
[755] __ldap_destroy-
[271] __cert_resume-req_id=458910229
[99] __cert_chg_st- 'Status-Query' -> 'Done'
[921] __cert_done-req_id=458910229
[1654] fnbamd_auth_session_done-Session done, id=458910229
[966] __fnbamd_cert_auth_run-Exit, req_id=458910229
[1645] __auth_cert_session_done-id=458910229
[1610] auth_cert_success-id=458910229
[1068] fnbamd_cert_auth_copy_cert_status-req_id=458910229
[1076] fnbamd_cert_auth_copy_cert_status-Matched peer user 'ldap-peer'
[833] fnbamd_cert_check_matched_groups-checking group with name 'ldap-peer'
[895] fnbamd_cert_check_matched_groups-matched
[1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1195] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=458910229
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 458910229, len=2547
[1555] destroy_auth_cert_session-id=458910229
[1041] fnbamd_cert_auth_uninit-req_id=458910229
[755] __ldap_destroy-
[131] fnbamd_peer_ctx_free-Freeing peer ctx 'ldap-peer'
[1764] fnbamd_ldap_auth_ctx_free-Freeing 'DC01' ctx
ike shrank heap by 143360 bytes
local auth is done with user 'test.user', ret=1
ike shrank heap by 159744 bytes
[2487] handle_req-Rcvd auth_cert req id=458910230, len=1128, opt=0
[983] __cert_auth_ctx_init-req_id=458910230, opt=0
[103] __cert_chg_st- 'Init'
[156] fnbamd_cert_load_certs_from_req-3 cert(s) in req.
[669] __cert_init-req_id=458910230
[718] __cert_build_chain-req_id=458910230
[273] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[291] fnbamd_chain_build-Following depth 0
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_2')
[291] fnbamd_chain_build-Following depth 1
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_1')
[291] fnbamd_chain_build-Following depth 2
[305] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[840] __cert_verify-req_id=458910230
[841] __cert_verify-Chain is complete.
[486] fnbamd_cert_verify-Chain number:3
[500] fnbamd_cert_verify-Following cert chain depth 0
[573] fnbamd_cert_verify-Issuer found: CA_Cert_2 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 1
[573] fnbamd_cert_verify-Issuer found: CA_Cert_1 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 2
[657] fnbamd_cert_check_group_list-group list is empty, match any!
[191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[876] __cert_verify_do_next-req_id=458910230
[99] __cert_chg_st- 'Validation' -> 'Done'
[921] __cert_done-req_id=458910230
[1654] fnbamd_auth_session_done-Session done, id=458910230
[966] __fnbamd_cert_auth_run-Exit, req_id=458910230
[1691] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=458910230
[1610] auth_cert_success-id=458910230
[1068] fnbamd_cert_auth_copy_cert_status-req_id=458910230
[1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1195] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=458910230
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 458910230, len=2536
[1555] destroy_auth_cert_session-id=458910230
[1041] fnbamd_cert_auth_uninit-req_id=458910230
local auth is done with user 'test.user', ret=1
ike shrank heap by 159744 bytes
[2487] handle_req-Rcvd auth_cert req id=458910231, len=1128, opt=0
[983] __cert_auth_ctx_init-req_id=458910231, opt=0
[103] __cert_chg_st- 'Init'
[156] fnbamd_cert_load_certs_from_req-3 cert(s) in req.
[669] __cert_init-req_id=458910231
[718] __cert_build_chain-req_id=458910231
[273] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[291] fnbamd_chain_build-Following depth 0
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_2')
[291] fnbamd_chain_build-Following depth 1
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_1')
[291] fnbamd_chain_build-Following depth 2
[305] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[840] __cert_verify-req_id=458910231
[841] __cert_verify-Chain is complete.
[486] fnbamd_cert_verify-Chain number:3
[500] fnbamd_cert_verify-Following cert chain depth 0
[573] fnbamd_cert_verify-Issuer found: CA_Cert_2 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 1
[573] fnbamd_cert_verify-Issuer found: CA_Cert_1 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 2
[657] fnbamd_cert_check_group_list-group list is empty, match any!
[191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[876] __cert_verify_do_next-req_id=458910231
[99] __cert_chg_st- 'Validation' -> 'Done'
[921] __cert_done-req_id=458910231
[1654] fnbamd_auth_session_done-Session done, id=458910231
[966] __fnbamd_cert_auth_run-Exit, req_id=458910231
[1691] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=458910231
[1610] auth_cert_success-id=458910231
[1068] fnbamd_cert_auth_copy_cert_status-req_id=458910231
[1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1195] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=458910231
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 458910231, len=2536
[1555] destroy_auth_cert_session-id=458910231
[1041] fnbamd_cert_auth_uninit-req_id=458910231
[2487] handle_req-Rcvd auth_cert req id=458910232, len=1139, opt=6
[983] __cert_auth_ctx_init-req_id=458910232, opt=6
[103] __cert_chg_st- 'Init'
[156] fnbamd_cert_load_certs_from_req-1 cert(s) in req.
[669] __cert_init-req_id=458910232
[718] __cert_build_chain-req_id=458910232
[273] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[291] fnbamd_chain_build-Following depth 0
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_2')
[291] fnbamd_chain_build-Following depth 1
[326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_1')
[291] fnbamd_chain_build-Following depth 2
[305] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[840] __cert_verify-req_id=458910232
[841] __cert_verify-Chain is complete.
[486] fnbamd_cert_verify-Chain number:3
[500] fnbamd_cert_verify-Following cert chain depth 0
[573] fnbamd_cert_verify-Issuer found: CA_Cert_2 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 1
[573] fnbamd_cert_verify-Issuer found: CA_Cert_1 (SSL_DPI opt 1)
[500] fnbamd_cert_verify-Following cert chain depth 2
[675] fnbamd_cert_check_group_list-checking group with name 'ldap-peer'
[490] __check_add_peer-check 'ldap-peer'
[77] fnbamd_peer_ldap_push-Check LDAP setting of peer user 'ldap-peer'
[497] __check_add_peer-'ldap-peer' check ret:pending
[709] fnbamd_cert_check_group_list-LDAP servers
[712] fnbamd_cert_check_group_list-    'DC01', (Principle-Name), ref=2
[191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[738] fnbamd_cert_check_group_list-Peer users
[741] fnbamd_cert_check_group_list-    'ldap-peer' ('DC01','N/A')
[876] __cert_verify_do_next-req_id=458910232
[99] __cert_chg_st- 'Validation' -> 'Status-Query'
[623] __cert_status_query-req_id=458910232
[419] __cert_ldap_query-req_id=458910232
[426] __cert_ldap_query-LDAP query, idx 0
[448] __cert_ldap_query-UPN = 'test.user@test.com'
[1718] fnbamd_ldap_init-search filter is: (&(userPrincipalName=test.user@test.com)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
[1728] fnbamd_ldap_init-search base is: dc=test,dc=loc
[115] fnbamd_dns_resolv_ex-DNS req ipv4 0x30d 'dc-01.test.loc'
[125] fnbamd_dns_resolv_ex-DNS req ipv6 0x230d 'dc-01.test.loc'
[137] fnbamd_dns_resolv_ex-DNS maintainer started.
[543] __cert_ocsp_query-req_id=458910232
[551] __cert_ocsp_query-Nothing to do.
[953] __fnbamd_cert_auth_run-Job pending, exit the state machine, req_id=458910232
[1691] create_auth_cert_session-fnbamd_cert_auth_init returns 4, id=458910232
[247] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x30d
[306] fnbamd_dns_parse_resp-req 0x30d: IP_Address
[1150] __fnbamd_ldap_dns_cb-Resolved DC01:dc-01.test.loc to IP_Address, cur stack size:1
[925] __fnbamd_ldap_get_next_addr-
[1155] __fnbamd_ldap_dns_cb-Connection starts DC01:dc-01.test.loc, addr IP_Address over SSL
[880] __fnbamd_ldap_start_conn-Still connecting IP_Address.
[247] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x230d
[266] fnbamd_dns_parse_resp-req 0x30d: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
[35] __fnbamd_dns_req_del-DNS req 0x30d (0x1108b9c0) is removed. Current total: 2
[47] __fnbamd_dns_req_del-DNS maintainer stopped.
[1150] __fnbamd_ldap_dns_cb-Resolved DC01:dc-01.test.loc to ::, cur stack size:0
[1108] __ldap_connect-tcps_connect(IP_Address) is established.
[986] __ldap_rxtx-state 3(Admin Binding)
[363] __ldap_build_bind_req-Binding to 'CN=svc.test,OU=Test3,OU=Test2,OU=Test,DC=test,DC=loc'
[1083] fnbamd_ldap_send-sending 96 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 1
[986] __ldap_rxtx-state 4(Admin Bind resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 14
[1306] fnbamd_ldap_recv-Response len: 16, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
[1023] fnbamd_ldap_parse_response-ret=0
[1053] __ldap_rxtx-Change state to 'DN search'
[986] __ldap_rxtx-state 11(DN search)
[750] fnbamd_ldap_build_dn_search_req-base:'dc=test,dc=loc' filter:(&(userPrincipalName=test.user@test.com)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
[1083] fnbamd_ldap_send-sending 143 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 2
[986] __ldap_rxtx-state 12(DN search resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 78
[1306] fnbamd_ldap_recv-Response len: 80, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-entry
[1023] fnbamd_ldap_parse_response-ret=0
[1226] __fnbamd_ldap_dn_entry-Get DN 'CN=test.user,OU=Test3,OU=Test2,OU=Test,DC=test,DC=com'
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 71
[1306] fnbamd_ldap_recv-Response len: 73, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 71
[1306] fnbamd_ldap_recv-Response len: 73, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 55
[1306] fnbamd_ldap_recv-Response len: 57, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[1023] fnbamd_ldap_parse_response-ret=0
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 14
[1306] fnbamd_ldap_recv-Response len: 16, svr: IP_Address
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result
[1023] fnbamd_ldap_parse_response-ret=0
[621] __ldap_membership_next-Auth accepted
[1053] __ldap_rxtx-Change state to 'Done'
[986] __ldap_rxtx-state 23(Done)
[1083] fnbamd_ldap_send-sending 7 bytes to IP_Address
[1096] fnbamd_ldap_send-Request is sent. ID 3
[785] __ldap_done-svr 'DC01'
[755] __ldap_destroy-
[724] __ldap_stop-Conn with IP_Address destroyed.
[377] __cert_ldap_query_cb-LDAP ret=0, server='DC01', req_id=458910232
[388] __cert_ldap_query_cb-Matched peer 'ldap-peer'
[755] __ldap_destroy-
[271] __cert_resume-req_id=458910232
[99] __cert_chg_st- 'Status-Query' -> 'Done'
[921] __cert_done-req_id=458910232
[1654] fnbamd_auth_session_done-Session done, id=458910232
[966] __fnbamd_cert_auth_run-Exit, req_id=458910232
[1645] __auth_cert_session_done-id=458910232
[1610] auth_cert_success-id=458910232
[1068] fnbamd_cert_auth_copy_cert_status-req_id=458910232
[1076] fnbamd_cert_auth_copy_cert_status-Matched peer user 'ldap-peer'
[833] fnbamd_cert_check_matched_groups-checking group with name 'ldap-peer'
[895] fnbamd_cert_check_matched_groups-matched
[1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1195] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=458910232
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 458910232, len=2547
[1555] destroy_auth_cert_session-id=458910232
[1041] fnbamd_cert_auth_uninit-req_id=458910232
[755] __ldap_destroy-
[131] fnbamd_peer_ctx_free-Freeing peer ctx 'ldap-peer'
[1764] fnbamd_ldap_auth_ctx_free-Freeing 'DC01' ctx
ike shrank heap by 143360 bytes
local auth is done with user 'test.user', ret=1
ike shrank heap by 159744 bytes
ike change cfg 1  interface 0  router 0 certs 0
[2435] fnbamd_peer_user_free-Freeing 'ios-test-dialup_peer'
[2435] fnbamd_peer_user_free-Freeing 'ldap-peer'
[2509] fnbamd_peer_user_create-'ldap-peer'
[2528] fnbamd_peer_user_create-Peer users are created, vfid=0, total=1
ike config update start
ike ike_embryonic_conn_limit = 10000
ike ikecrypt DH multi-process enabled
ike config update done
ike 0: cache rebuild done
ike 0:*: ignoring request to establish IPsec SA, interface is administratively down
ike shrank heap by 135168 bytes
local auth is done with user 'test.user', ret=1
ike shrank heap by 159744 bytes
ike change cfg 1  interface 0  router 0 certs 0
317
0 Kudos
pminarik
Staff
Staff
In response to FG_User2

Created on ‎11-25-2024 08:24 AM

1: Some user/group(s) need to be included either in the phase1 configuration (set xauthusrgrp ...) OR in firewall policies for this IPsec tunnel as source-interface. (one or the other, never both!)

 

2: The certificate validation is OK and a success:

[99] __cert_chg_st- 'Status-Query' -> 'Done'
[921] __cert_done-req_id=458910229
[1654] fnbamd_auth_session_done-Session done, id=458910229
[966] __fnbamd_cert_auth_run-Exit, req_id=458910229
[1645] __auth_cert_session_done-id=458910229
[1610] auth_cert_success-id=458910229
[1068] fnbamd_cert_auth_copy_cert_status-req_id=458910229
[1076] fnbamd_cert_auth_copy_cert_status-Matched peer user 'ldap-peer'
[833] fnbamd_cert_check_matched_groups-checking group with name 'ldap-peer'
[895] fnbamd_cert_check_matched_groups-matched
[1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1195] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=458910229
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 458910229, len=2547

 

& the same for the second attempt seen in the debugs.

Try checking IKE debug output again. (or share it here if you need help)

[ corrections always welcome ]
313
0 Kudos
FG_User2
New Contributor
In response to pminarik

Created on ‎11-25-2024 08:28 AM

 

I have this rule, is it enough?:

img-fg.png

305
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.