Sorry if this has been posted before, but I haven't found any solution in any existing posts.
I have just setup SSL-VPN on my FG100D with FortiOS 6.2.3 build 1066, but are having some issues when connecting with FortiClient 6.4.0.1464.
When getting to 80% is says: "unable to establish the vpn connection. the vpn server may be unreachable. (-14)"
I can login to the web portal page with the same user/pass, so that should be OK. I have also tested with another user.
Users are created locally on the FW and added to a group "VPN_Local_Users")
Have also tested from multiple computers.
Any ideas?
See attached log file for more details.sslvpn-log.txt
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Is this issue on Windows OS? If so, did you check if TLS is enabled under Internet Options > Advanced Settings?
Regards,
Yogesh
Stupid error....
But if it helps someone else:
I forgot to enable Tunnel Mode...
SSL-VPN Portals - edit portal
-Disable Split Tunneling
-Enable Tunnel Mode
Source IP Pools: SSLVPN_TUNNEL-ADDR1
Now it works with my local test user.
Still getting exactly the same error when trying an LDAP user. (have added the LDAP user group to the policy and mapped to portal etc...will start investegate. Tips are appreciated :)
Update:
Not beeing able to login with an AD user seems to be something with username/CNI context.
My test AD user:
Firstname: Test
Lastname: Testing
username: Testuser
In OU: Testusers
Scenario 1:
FG LDAP config:
Common Name Identifier: cn
Distinguished Name: OU=Testusers,DC=test,DC=local
Try to login to Forticlient / Webportal
User: Test Testing -- Login [style="background-color: #00ff00;"]OK![/style]
User: Testuser -- [style="background-color: #ff0000;"]Not OK[/style] (server unreachable (-14) blabla) or "access denied"
Scenario 2:
FG LDAP config:
Common Name Identifier: sAMAccountName
Distinguished Name: OU=Testusers,DC=test,DC=local
Try to login to Forticlient / Webportal
User: Test Testing -- [style="background-color: #ff0000;"]Not OK[/style] (server unreachable (-14) blabla) or "access denied"
User: Testuser -- [style="background-color: #ff0000;"]Not OK[/style] (server unreachable (-14) blabla) or "access denied"
Any ideas???
Hello Frined,
If you are still having this issue, I have some hints for you, or otherwise please share the solution is it was already resolved.
From the attached log, I can see you are using Forticlient on Windows machine.
Just check from your Firewall the ssl-min and max allowed protocols by the using the following commands:
config firewall ssl-server show full-configuration | grep ssl-min-version show full-configuration | grep ssl-max-version
Then according to the output, modify the register of the PC by going to the following path:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
Make sure you have the key of the protocol you have found from the first step, ( at least one match ).
If not , the client and the fortigate are not having a common protocol to handshake by.
Also, if you want to add a new ssl protocol ( avoiding weak once ) you can create a key and and define
DWORD Value named as Enabled with a value of 1 , then restart the pc and try the vpn.
I hope this will help you.
Regards,
Shehab
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1731 | |
1098 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.