Hi all, Our SSLVPN was working fine for a few months but has suddenly stopped working. I've tried performing all updates and restarting the Fortigate 50E but still have the same issue across all users. CLI debug below: Any ideas?
FGT50E3U17044011 # [222:root:4c]allocSSLConn:282 sconn 0x55d52900 (0:root)
[222:root:4c]SSL state:before SSL initialization (192.168.10.31)
[222:root:4c]SSL state:before SSL initialization (192.168.10.31)
[222:root:4c]got SNI server name: 118.xxx.xxx.xxx realm (null)
[222:root:4c]client cert requirement: no
[222:root:4c]SSL state:SSLv3/TLS read client hello (192.168.10.31)
[222:root:4c]SSL state:SSLv3/TLS write server hello (192.168.10.31)
[222:root:4c]SSL state:SSLv3/TLS write certificate (192.168.10.31)
[222:root:4c]SSL state:SSLv3/TLS write key exchange (192.168.10.31)
[222:root:4c]SSL state:SSLv3/TLS write server done (192.168.10.31)
[222:root:4c]SSL state:SSLv3/TLS write server done:system lib(192.168.10.31)
[222:root:4c]SSL state:SSLv3/TLS write server done (192.168.10.31)
[222:root:4c]SSL state:SSLv3/TLS read client key exchange (192.168.10.31)
[222:root:4c]SSL state:SSLv3/TLS read change cipher spec (192.168.10.31)
[222:root:4c]SSL state:SSLv3/TLS read finished (192.168.10.31)
[222:root:4c]SSL state:SSLv3/TLS write change cipher spec (192.168.10.31)
[222:root:4c]SSL state:SSLv3/TLS write finished (192.168.10.31)
[222:root:4c]SSL state:SSL negotiation finished successfully (192.168.10.31)
[222:root:4c]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[222:root:4c]req: /remote/info
[222:root:4c]sslConnGotoNextState:302 error (last state: 1, closeOp: 0)
[222:root:4c]Destroy sconn 0x55d52900, connSize=0. (root)
[222:root:4d]allocSSLConn:282 sconn 0x55d52900 (0:root)
[222:root:4d]SSL state:before SSL initialization (192.168.10.31)
[222:root:4d]SSL state:before SSL initialization (192.168.10.31)
[222:root:4d]got SNI server name: 118.xxx.xxx.xxx realm (null)
[222:root:4d]client cert requirement: no
[222:root:4d]SSL state:SSLv3/TLS read client hello (192.168.10.31)
[222:root:4d]SSL state:SSLv3/TLS write server hello (192.168.10.31)
[222:root:4d]SSL state:SSLv3/TLS write certificate (192.168.10.31)
[222:root:4d]SSL state:SSLv3/TLS write key exchange (192.168.10.31)
[222:root:4d]SSL state:SSLv3/TLS write server done (192.168.10.31)
[222:root:4d]SSL state:SSLv3/TLS write server done:system lib(192.168.10.31)
[222:root:4d]SSL state:SSLv3/TLS write server done (192.168.10.31)
[222:root:4d]SSL state:SSLv3/TLS read client key exchange (192.168.10.31)
[222:root:4d]SSL state:SSLv3/TLS read change cipher spec (192.168.10.31)
[222:root:4d]SSL state:SSLv3/TLS read finished (192.168.10.31)
[222:root:4d]SSL state:SSLv3/TLS write change cipher spec (192.168.10.31)
[222:root:4d]SSL state:SSLv3/TLS write finished (192.168.10.31)
[222:root:4d]SSL state:SSL negotiation finished successfully (192.168.10.31)
[222:root:4d]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[222:root:4d]req: /remote/login
[222:root:4d]rmt_web_auth_info_parser_common:440 no session id in auth info
[222:root:4d]rmt_web_get_access_cache:760 invalid cache, ret=4103
[222:root:4d]sslConnGotoNextState:302 error (last state: 1, closeOp: 0)
[222:root:4d]Destroy sconn 0x55d52900, connSize=0. (root)
[222:root:4e]allocSSLConn:282 sconn 0x55d52900 (0:root)
[222:root:4e]SSL state:before SSL initialization (192.168.10.31)
[222:root:4e]SSL state:before SSL initialization (192.168.10.31)
[222:root:4e]got SNI server name: 118.xxx.xxx.xxx realm (null)
[222:root:4e]client cert requirement: no
[222:root:4e]SSL state:SSLv3/TLS read client hello (192.168.10.31)
[222:root:4e]SSL state:SSLv3/TLS write server hello (192.168.10.31)
[222:root:4e]SSL state:SSLv3/TLS write certificate (192.168.10.31)
[222:root:4e]SSL state:SSLv3/TLS write key exchange (192.168.10.31)
[222:root:4e]SSL state:SSLv3/TLS write server done (192.168.10.31)
[222:root:4e]SSL state:SSLv3/TLS write server done:system lib(192.168.10.31)
[222:root:4e]SSL state:SSLv3/TLS write server done (192.168.10.31)
[222:root:4e]SSL state:SSLv3/TLS read client key exchange (192.168.10.31)
[222:root:4e]SSL state:SSLv3/TLS read change cipher spec (192.168.10.31)
[222:root:4e]SSL state:SSLv3/TLS read finished (192.168.10.31)
[222:root:4e]SSL state:SSLv3/TLS write change cipher spec (192.168.10.31)
[222:root:4e]SSL state:SSLv3/TLS write finished (192.168.10.31)
[222:root:4e]SSL state:SSL negotiation finished successfully (192.168.10.31)
[222:root:4e]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[222:root:4e]req: /remote/logincheck
[222:root:4e]rmt_web_auth_info_parser_common:440 no session id in auth info
[222:root:4e]rmt_web_access_check:686 access failed, uri=[/remote/logincheck],ret=4103,
[222:root:4e]rmt_logincheck_cb_handler:917 user 'editor' has a matched local entry.
[222:root:4e]sslvpn_auth_check_usrgroup:1874 forming user/group list from policy.
[222:root:4e]sslvpn_auth_check_usrgroup:1916 got user (0) group (1:0).
[222:root:4e]sslvpn_validate_user_group_list:1479 validating with SSL VPN authentication rules (0), realm ().
[222:root:4e]sslvpn_validate_user_group_list:1802 got user (0), group (1:0).
[222:root:4e]two factor check for editor: off
[222:root:4e]sslvpn_authenticate_user:169 authenticate user: [editor]
[222:root:4e]sslvpn_authenticate_user:176 create fam state
[222:root:4e][fam_auth_send_req_internal:408] Groups sent to FNBAM:
[222:root:4e]group_desc[0].grpname = sslvpngroup
[222:root:4e][fam_auth_send_req_internal:419] FNBAM opt = 0X420
[222:root:4e]fam_auth_send_req_internal:483 fnbam_auth return: 0
[222:root:4e][fam_auth_send_req_internal:507] Authenticated groups by FNBAM:
[222:root:4e]auth_rsp_data.grp_list[0] = sslvpngroup
[222:root:4e][fam_auth_send_req_internal:583] The user editor is authenticated.
[222:root:4e]fam_do_cb:506 fnbamd return auth success.
[222:root:4e]SSL VPN login matched rule (0).
[222:root:4e]rmt_web_session_create:730 create web session, idx[0]
[222:root:4e]login_succeeded:399 redirect to hostcheck
[222:root:4e]deconstruct_session_id:380 decode session id ok, user=[editor],group=[sslvpngroup],authserver=[],portal=[my-full-tunnel-portal],host=[192.168.10.31],realm=[],idx=0,auth=1,sid=5f3dcc38, login=1603843029, access=1603843029
[222:root:4e]deconstruct_session_id:380 decode session id ok, user=[editor],group=[sslvpngroup],authserver=[],portal=[my-full-tunnel-portal],host=[192.168.10.31],realm=[],idx=0,auth=1,sid=5f3dcc38, login=1603843029, access=1603843029
[222:root:4e]deconstruct_session_id:380 decode session id ok, user=[editor],group=[sslvpngroup],authserver=[],portal=[my-full-tunnel-portal],host=[192.168.10.31],realm=[],idx=0,auth=1,sid=5f3dcc38, login=1603843029, access=1603843029
[222:root:4e]sslvpn_read_request_common,639, ret=-1 error=-1, sconn=0x55d52900.
[222:root:4e]Destroy sconn 0x55d52900, connSize=0. (root)
Hey guys, I figured it out in the end – FortiClient has some sort of bug that was causing the issue. To troubleshoot this yourself if you have this error, try eliminate the client as the issue by accessing the web portal through a web browser via https://xxx.xxx.xxx.xxx:yyy/ where x is your IP and y is your port. Updating FortiClient to the newest version resolved the issue.
I still think something had happened to the 50E side, which no longer happens, if everybody had the same symptom. The sslvpnd log showed everything went through normally including user authentication, then drops at the end with an error.
toshiesumi wrote:I still think something had happened to the 50E side, which no longer happens, if everybody had the same symptom. The sslvpnd log showed everything went through normally including user authentication, then drops at the end with an error.
I thought so too but nothing seemed to fix it when I was troubleshooting on the host side, but updating the client fixed the issue immediately. I'll report back if the error comes back.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.