Hi,
Our users keep having problems logging in with Forticlient VPN only.
It happens very often that Forticlient stops at 48% and issues the warning -7200. Sometimes you have to repeat the login process 3-7 times and then the client asks for the Fortitoken and can then log in successfully.
FortiOS v6.4.15
We are using LDAP authentication with Fortitoken.
It doesn't matter whether I set username-sensitivity to disable or leave it at default enable.
Does anyone know the problem and can help?
[326:root:d3a]allocSSLConn:298 sconn 0x7f268edacd00 (0:root)
[326:root:d3a]SSL state:before SSL initialization (77.239.xy.xyx)
[326:root:d3a]SSL state:before SSL initialization:DH lib(77.239.xy.xyx)
[326:root:d3a]SSL_accept failed, 5:(null)
[326:root:d3a]Destroy sconn 0x7f268edacd00, connSize=1. (root)
[327:root:d3c]allocSSLConn:298 sconn 0x7f268edac800 (0:root)
[327:root:d3c]SSL state:before SSL initialization (77.239.xy.xyx)
[327:root:d3c]SSL state:before SSL initialization (77.239.xy.xyx)
[327:root:d3c]got SNI server name: sslvpn.url.com realm (null)
[327:root:d3c]client cert requirement: no
[327:root:d3c]SSL state:SSLv3/TLS read client hello (77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS write server hello (77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS write certificate (77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS write key exchange (77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS write server done (77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS write server done:system lib(77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS write server done (77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS read client key exchange (77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS read change cipher spec (77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS read finished (77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS write session ticket (77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS write change cipher spec (77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS write finished (77.239.xy.xyx)
[327:root:d3c]SSL state:SSL negotiation finished successfully (77.239.xy.xyx)
[327:root:d3c]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[327:root:d3c]req: /remote/info
[327:root:d3c]capability flags: 0xdf
[327:root:d3c]req: /remote/login?realm=mts
[327:root:d3c]rmt_web_auth_info_parser_common:465 no session id in auth info
[327:root:d3c]rmt_web_get_access_cache:808 invalid cache, ret=4103
[327:root:d3c]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[327:root:d3c]get_cust_page:127 saml_info 0
[327:root:d3c]req: /remote/logincheck
[327:root:d3c]rmt_web_auth_info_parser_common:465 no session id in auth info
[327:root:d3c]rmt_web_access_check:727 access failed, uri=[/remote/logincheck],ret=4103,
[327:root:d3c]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[327:root:d3c]rmt_logincheck_cb_handler:1255 user 'max' has a matched local entry.
[327:root:d3c]sslvpn_auth_check_usrgroup:2719 forming user/group list from policy.
[327:root:d3c]sslvpn_auth_check_usrgroup:2757 got user (0) group (3:0).
[327:root:d3c]sslvpn_validate_user_group_list:1843 validating with SSL VPN authentication rules (3), realm (mts).
[327:root:d3c]sslvpn_validate_user_group_list:1928 checking rule 2 cipher.
[327:root:d3c]sslvpn_validate_user_group_list:1936 checking rule 2 realm.
[327:root:d3c]sslvpn_validate_user_group_list:1947 checking rule 2 source intf.
[327:root:d3c]sslvpn_validate_user_group_list:1986 checking rule 2 vd source intf.
[327:root:d3c]sslvpn_validate_user_group_list:2267 rule 2 done, got user (0:0) group (1:0) peer group (0).
[327:root:d3c]sslvpn_validate_user_group_list:1928 checking rule 3 cipher.
[327:root:d3c]sslvpn_validate_user_group_list:1936 checking rule 3 realm.
[327:root:d3c]sslvpn_validate_user_group_list:1928 checking rule 4 cipher.
[327:root:d3c]sslvpn_validate_user_group_list:1936 checking rule 4 realm.
[327:root:d3c]sslvpn_validate_user_group_list:2275 got user (0:0) group (1:0) peer group (0).
[327:root:d3c]sslvpn_validate_user_group_list:2618 got user (0:0), group (1:0) peer group (0).
[327:root:d3c]sslvpn_update_user_group_list:1750 got user (0:0), group (1:0), peer group (0) after update.
[327:root:d3c]two factor check for max: off
[327:root:d3c]sslvpn_authenticate_user:167 authenticate user: [max]
[327:root:d3c]sslvpn_authenticate_user:174 create fam state
[327:root:d3c][fam_auth_send_req_internal:425] Groups sent to FNBAM:
[327:root:d3c]group_desc[0].grpname = ldap_dl-fg-sslvpn-realm-mts
[327:root:d3c][fam_auth_send_req_internal:437] FNBAM opt = 0X200420
[327:root:d3c]fam_auth_send_req_internal:513 fnbam_auth return: 4
[327:root:d3c]fam_auth_proc_resp:1287 fnbam_auth_update_result return: 3
[327:root:d3c][fam_auth_proc_resp:1385] Authenticated groups (1) by FNBAM:
[327:root:d3c]Received: auth_rsp_data.grp_list[0] = 3054238368
[327:root:d3c]login_failed:391 user[max],auth_type=1 failed [sslvpn_login_no_matching_policy]
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi sidp
Check the following link: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Possible-reasons-for-FortiClient-SSL...
48%.
Hi DPadula
Thank you.
Other things I tested was changing some of the timeouts in global config.
config system global
set admintimeout 60
set ldapconntimeout 1500
set remoteauthtimeout 210
end
Hi @sidp ,
Looking at the logs I can see that there is no policy matching:
[327:root:d3c]login_failed:391 user[max],auth_type=1 failed [sslvpn_login_no_matching_policy]
Could you run the following again and paste the output, please:
diagnose test application fnbamd 1
diagnose debug reset
diag debug console timestamp enable
diag debug application fnbamd 0x4
diag debug app sslvpn 0x10FF
diag debug enable
# try to connect to VPN and authenticate with LDAP
diag debug disable
diagnose test application fnbamd 1
Best regards,
Hi fricci_FTNT,
I will test it but it may take some time since the error does not always occur and I do not know how to provoke it.
Br
Created on 06-28-2024 02:56 AM Edited on 06-28-2024 02:59 AM
Okay, I encountered the problem again and was able to capture the debug log.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2024.06.28 11:43:52 =~=~=~=~=~=~=~=~=~=~=~=
FW01 # diagnose test application fnbamd 1
Total fnbam requests in caller side: 235969; EAGAIN errors: 0; other errors: 1
Pending sessions: 0
Max session reached: 0
Res 0: 233055
Res 1: 715
Res 2: 0
Res 3: 1586
Res 4: 0
Res 5: 183
Res 6: 0
Res 7: 4093
Res 8: 2
Res 9: 0
Res 10: 0
Res 11: 0
Res 12: 152
Auth:
requests: 6298
sessions: 6298
released: 6298
Acct:
requests: 1
sessions: 0
released: 0
Cert:
requests: 225414
sessions: 225414
released: 225414
LDAP stats:
total: 4454
conn failures: 0
FW01 # diagnose debug reset FW01 # diag debug console timestamp enable FW01 # diag debug application fnbamd 0x4 Debug messages will be on for 30 minutes.
FW01 # diag debug app sslvpn 0x10FF Debug messages will be on for 30 minutes.
FW01 # diag debug enable FW01 # 2024-06-28 11:44:31 [28669:root:69b]allocSSLConn:298 sconn 0x7f268edc5800 (0:root)
2024-06-28 11:44:31 [28669:root:69b]SSL_accept failed, 5:(null)
2024-06-28 11:44:31 [28669:root:69b]Destroy sconn 0x7f268edc5800, connSize=0. (root)
2024-06-28 11:44:31 [28670:root:69b]allocSSLConn:298 sconn 0x7f268ed9d900 (0:root)
2024-06-28 11:44:31 [28670:root:69b]got SNI server name: sslvpn.url.com realm (null)
2024-06-28 11:44:31 [28670:root:69b]client cert requirement: no
2024-06-28 11:44:31 [28670:root:69b]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
2024-06-28 11:44:31 [28670:root:69b]capability flags: 0xdf
2024-06-28 11:44:31 [28670:root:69b]rmt_web_auth_info_parser_common:465 no session id in auth info
2024-06-28 11:44:31 [28670:root:69b]rmt_web_get_access_cache:808 invalid cache, ret=4103
2024-06-28 11:44:31 [28670:root:69b]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
2024-06-28 11:44:31 [28670:root:69b]get_cust_page:127 saml_info 0
2024-06-28 11:44:31 [28670:root:69b]rmt_web_auth_info_parser_common:465 no session id in auth info
2024-06-28 11:44:31 [28670:root:69b]rmt_web_access_check:727 access failed, uri=[/remote/logincheck],ret=4103,
2024-06-28 11:44:31 [28670:root:69b]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
2024-06-28 11:44:31 [28670:root:69b]rmt_logincheck_cb_handler:1255 user 'max' has a matched local entry.
2024-06-28 11:44:31 [28670:root:69b]sslvpn_auth_check_usrgroup:2719 forming user/group list from policy.
2024-06-28 11:44:31 [28670:root:69b]sslvpn_auth_check_usrgroup:2757 got user (0) group (3:0).
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1843 validating with SSL VPN authentication rules (3), realm (mts).
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1928 checking rule 2 cipher.
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1936 checking rule 2 realm.
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1947 checking rule 2 source intf.
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1986 checking rule 2 vd source intf.
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:2267 rule 2 done, got user (0:0) group (1:0) peer group (0).
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1928 checking rule 3 cipher.
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1936 checking rule 3 realm.
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1928 checking rule 4 cipher.
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1936 checking rule 4 realm.
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:2275 got user (0:0) group (1:0) peer group (0).
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:2618 got user (0:0), group (1:0) peer group (0).
2024-06-28 11:44:31 [28670:root:69b]sslvpn_update_user_group_list:1750 got user (0:0), group (1:0), peer group (0) after update.
2024-06-28 11:44:31 [28670:root:69b]two factor check for max: off
2024-06-28 11:44:31 [28670:root:69b]sslvpn_authenticate_user:167 authenticate user: [max]
2024-06-28 11:44:31 [28670:root:69b]sslvpn_authenticate_user:174 create fam state
2024-06-28 11:44:31 [28670:root:69b][fam_auth_send_req_internal:425] Groups sent to FNBAM:
2024-06-28 11:44:31 [28670:root:69b]group_desc[0].grpname = ldap_dl-fg-sslvpn-realm-mts
2024-06-28 11:44:31 [28670:root:69b][fam_auth_send_req_internal:437] FNBAM opt = 0X200420
2024-06-28 11:44:31 [28670:root:69b]fam_auth_send_req_internal:513 fnbam_auth return: 4
2024-06-28 11:44:31 [1901] handle_req-Rcvd auth req 1376404688 for max in opt=00200420 prot=11
2024-06-28 11:44:31 [617] fnbamd_pop3_start-max
2024-06-28 11:44:31 [380] radius_start-Didn't find radius servers (0)
2024-06-28 11:44:31 [752] auth_tac_plus_start-Didn't find tac_plus servers (0)
2024-06-28 11:44:31 [2151] __match_and_update_auth_user-Found a matching user in CMDB 'max'
2024-06-28 11:44:31 [1053] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'mts.local' for user 'max' in rgroup 'ldap_dl-fg-sslvpn-realm-mts' (3)
2024-06-28 11:44:31 [1131] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 1
2024-06-28 11:44:31 [1713] fnbamd_ldap_init-search filter is: sAMAccountName=max
2024-06-28 11:44:31 [1722] fnbamd_ldap_init-search base is: ou=mts,dc=mts,dc=local
2024-06-28 11:44:31 [115] fnbamd_dns_resolv_ex-DNS req ipv4 0x1dbe 'mts-dc02.mts.local'
2024-06-28 11:44:31 [125] fnbamd_dns_resolv_ex-DNS req ipv6 0x3dbe 'mts-dc02.mts.local'
2024-06-28 11:44:31 [137] fnbamd_dns_resolv_ex-DNS maintainer started.
2024-06-28 11:44:31 [596] create_auth_session-Total 1 server(s) to try
2024-06-28 11:44:31 [246] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x3dbe
2024-06-28 11:44:31 [267] fnbamd_dns_parse_resp-req 0x1dbe: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:31 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc02.mts.local to ::, cur stack size:-1
2024-06-28 11:44:31 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc02.mts.local
2024-06-28 11:44:31 [246] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x1dbe
2024-06-28 11:44:31 [267] fnbamd_dns_parse_resp-req 0x1dbe: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:31 [36] __fnbamd_dns_req_del-DNS req 0x1dbe (0x14353740) is removed. Current total: 2
2024-06-28 11:44:31 [47] __fnbamd_dns_req_del-DNS maintainer stopped.
2024-06-28 11:44:31 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc02.mts.local to 0.0.0.0, cur stack size:-1
2024-06-28 11:44:31 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc02.mts.local
2024-06-28 11:44:31 [907] __ldap_try_next_server-Try next server 'mts-dc03.mts.local' for 'mts.local'.
2024-06-28 11:44:31 [115] fnbamd_dns_resolv_ex-DNS req ipv4 0x1dbf 'mts-dc03.mts.local'
2024-06-28 11:44:31 [125] fnbamd_dns_resolv_ex-DNS req ipv6 0x3dbf 'mts-dc03.mts.local'
2024-06-28 11:44:31 [137] fnbamd_dns_resolv_ex-DNS maintainer started.
2024-06-28 11:44:31 [246] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x3dbf
2024-06-28 11:44:31 [267] fnbamd_dns_parse_resp-req 0x1dbf: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:31 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc03.mts.local to ::, cur stack size:-1
2024-06-28 11:44:31 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc03.mts.local
2024-06-28 11:44:31 [246] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x1dbf
2024-06-28 11:44:31 [267] fnbamd_dns_parse_resp-req 0x1dbf: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:31 [36] __fnbamd_dns_req_del-DNS req 0x1dbf (0x14353740) is removed. Current total: 2
2024-06-28 11:44:31 [47] __fnbamd_dns_req_del-DNS maintainer stopped.
2024-06-28 11:44:31 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc03.mts.local to 0.0.0.0, cur stack size:-1
2024-06-28 11:44:31 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc03.mts.local
2024-06-28 11:44:31 [902] __ldap_try_next_server-No more server to try for 'mts.local'.
2024-06-28 11:44:31 [217] fnbamd_comm_send_result-Sending result 3 (nid 0) for req 1376404688, len=2124
2024-06-28 11:44:31 [752] destroy_auth_session-delete session 1376404688
2024-06-28 11:44:31 [28670:root:69b]fam_auth_proc_resp:1287 fnbam_auth_update_result return: 3
2024-06-28 11:44:31 [28670:root:69b][fam_auth_proc_resp:1385] Authenticated groups (1) by FNBAM:
2024-06-28 11:44:31 [28670:root:69b]Received: auth_rsp_data.grp_list[0] = 3054238368
2024-06-28 11:44:31 [28670:root:69b]login_failed:391 user[max],auth_type=1 failed [sslvpn_login_no_matching_policy]
2024-06-28 11:44:31 [28670:root:0]dump_one_blocklist:85 status=1;host=77.239.xy.xyx;fails=1;logintime=1719567871
2024-06-28 11:44:50 [28671:root:69d]allocSSLConn:298 sconn 0x7f268ed9d400 (0:root)
2024-06-28 11:44:50 [28671:root:69d]SSL_accept failed, 5:(null)
2024-06-28 11:44:50 [28671:root:69d]Destroy sconn 0x7f268ed9d400, connSize=3. (root)
2024-06-28 11:44:50 [28670:root:69b]sslvpn_read_request_common,663, ret=-1 error=-1, sconn=0x7f268ed9d900.
2024-06-28 11:44:50 [28670:root:69b]Destroy sconn 0x7f268ed9d900, connSize=2. (root)
2024-06-28 11:44:51 [28672:root:699]allocSSLConn:298 sconn 0x7f268ed9f200 (0:root)
2024-06-28 11:44:51 [28672:root:699]got SNI server name: sslvpn.url.com realm (null)
2024-06-28 11:44:51 [28672:root:699]client cert requirement: no
2024-06-28 11:44:51 [28672:root:699]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
2024-06-28 11:44:51 [28672:root:699]capability flags: 0xdf
2024-06-28 11:44:51 [28672:root:699]rmt_web_auth_info_parser_common:465 no session id in auth info
2024-06-28 11:44:51 [28672:root:699]rmt_web_get_access_cache:808 invalid cache, ret=4103
2024-06-28 11:44:51 [28672:root:699]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
2024-06-28 11:44:51 [28672:root:699]get_cust_page:127 saml_info 0
2024-06-28 11:44:51 [28672:root:699]rmt_web_auth_info_parser_common:465 no session id in auth info
2024-06-28 11:44:51 [28672:root:699]rmt_web_access_check:727 access failed, uri=[/remote/logincheck],ret=4103,
2024-06-28 11:44:51 [28672:root:699]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
2024-06-28 11:44:51 [28672:root:699]rmt_logincheck_cb_handler:1255 user 'max' has a matched local entry.
2024-06-28 11:44:51 [28672:root:699]sslvpn_auth_check_usrgroup:2719 forming user/group list from policy.
2024-06-28 11:44:51 [28672:root:699]sslvpn_auth_check_usrgroup:2757 got user (0) group (3:0).
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1843 validating with SSL VPN authentication rules (3), realm (mts).
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1928 checking rule 2 cipher.
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1936 checking rule 2 realm.
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1947 checking rule 2 source intf.
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1986 checking rule 2 vd source intf.
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:2267 rule 2 done, got user (0:0) group (1:0) peer group (0).
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1928 checking rule 3 cipher.
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1936 checking rule 3 realm.
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1928 checking rule 4 cipher.
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1936 checking rule 4 realm.
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:2275 got user (0:0) group (1:0) peer group (0).
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:2618 got user (0:0), group (1:0) peer group (0).
2024-06-28 11:44:51 [28672:root:699]sslvpn_update_user_group_list:1750 got user (0:0), group (1:0), peer group (0) after update.
2024-06-28 11:44:51 [28672:root:699]two factor check for max: off
2024-06-28 11:44:51 [28672:root:699]sslvpn_authenticate_user:167 authenticate user: [max]
2024-06-28 11:44:51 [28672:root:699]sslvpn_authenticate_user:174 create fam state
2024-06-28 11:44:51 [28672:root:699][fam_auth_send_req_internal:425] Groups sent to FNBAM:
2024-06-28 11:44:51 [28672:root:699]group_desc[0].grpname = ldap_dl-fg-sslvpn-realm-mts
2024-06-28 11:44:51 [28672:root:699][fam_auth_send_req_internal:437] FNBAM opt = 0X200420
2024-06-28 11:44:51 [28672:root:699]fam_auth_send_req_internal:513 fnbam_auth return: 4
2024-06-28 11:44:51 [1901] handle_req-Rcvd auth req 1376404689 for max in opt=00200420 prot=11
2024-06-28 11:44:51 [617] fnbamd_pop3_start-max
2024-06-28 11:44:51 [380] radius_start-Didn't find radius servers (0)
2024-06-28 11:44:51 [752] auth_tac_plus_start-Didn't find tac_plus servers (0)
2024-06-28 11:44:51 [2151] __match_and_update_auth_user-Found a matching user in CMDB 'max'
2024-06-28 11:44:51 [1053] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'mts.local' for user 'max' in rgroup 'ldap_dl-fg-sslvpn-realm-mts' (3)
2024-06-28 11:44:51 [1131] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 1
2024-06-28 11:44:51 [1713] fnbamd_ldap_init-search filter is: sAMAccountName=max
2024-06-28 11:44:51 [1722] fnbamd_ldap_init-search base is: ou=mts,dc=mts,dc=local
2024-06-28 11:44:51 [115] fnbamd_dns_resolv_ex-DNS req ipv4 0x1dc0 'mts-dc02.mts.local'
2024-06-28 11:44:51 [125] fnbamd_dns_resolv_ex-DNS req ipv6 0x3dc0 'mts-dc02.mts.local'
2024-06-28 11:44:51 [137] fnbamd_dns_resolv_ex-DNS maintainer started.
2024-06-28 11:44:51 [596] create_auth_session-Total 1 server(s) to try
2024-06-28 11:44:51 [246] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x3dc0
2024-06-28 11:44:51 [267] fnbamd_dns_parse_resp-req 0x1dc0: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:51 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc02.mts.local to ::, cur stack size:-1
2024-06-28 11:44:51 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc02.mts.local
2024-06-28 11:44:51 [246] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x1dc0
2024-06-28 11:44:51 [267] fnbamd_dns_parse_resp-req 0x1dc0: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:51 [36] __fnbamd_dns_req_del-DNS req 0x1dc0 (0x14353740) is removed. Current total: 2
2024-06-28 11:44:51 [47] __fnbamd_dns_req_del-DNS maintainer stopped.
2024-06-28 11:44:51 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc02.mts.local to 0.0.0.0, cur stack size:-1
2024-06-28 11:44:51 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc02.mts.local
2024-06-28 11:44:51 [907] __ldap_try_next_server-Try next server 'mts-dc03.mts.local' for 'mts.local'.
2024-06-28 11:44:51 [115] fnbamd_dns_resolv_ex-DNS req ipv4 0x1dc1 'mts-dc03.mts.local'
2024-06-28 11:44:51 [125] fnbamd_dns_resolv_ex-DNS req ipv6 0x3dc1 'mts-dc03.mts.local'
2024-06-28 11:44:51 [137] fnbamd_dns_resolv_ex-DNS maintainer started.
2024-06-28 11:44:51 [246] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x1dc1
2024-06-28 11:44:51 [267] fnbamd_dns_parse_resp-req 0x1dc1: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:51 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc03.mts.local to 0.0.0.0, cur stack size:-1
2024-06-28 11:44:51 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc03.mts.local
2024-06-28 11:44:51 [246] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x3dc1
2024-06-28 11:44:51 [267] fnbamd_dns_parse_resp-req 0x1dc1: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:51 [36] __fnbamd_dns_req_del-DNS req 0x1dc1 (0x14353740) is removed. Current total: 2
2024-06-28 11:44:51 [47] __fnbamd_dns_req_del-DNS maintainer stopped.
2024-06-28 11:44:51 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc03.mts.local to ::, cur stack size:-1
2024-06-28 11:44:51 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc03.mts.local
2024-06-28 11:44:51 [902] __ldap_try_next_server-No more server to try for 'mts.local'.
2024-06-28 11:44:51 [217] fnbamd_comm_send_result-Sending result 3 (nid 0) for req 1376404689, len=2124
2024-06-28 11:44:51 [752] destroy_auth_session-delete session 1376404689
2024-06-28 11:44:51 [28672:root:699]fam_auth_proc_resp:1287 fnbam_auth_update_result return: 3
2024-06-28 11:44:51 [28672:root:699][fam_auth_proc_resp:1385] Authenticated groups (1) by FNBAM:
2024-06-28 11:44:51 [28672:root:699]Received: auth_rsp_data.grp_list[0] = 3054238368
2024-06-28 11:44:51 [28672:root:699]login_failed:391 user[max],auth_type=1 failed [sslvpn_login_no_matching_policy]
FW01 # diag debug disable FW01 # diagnose test application fnbamd 1
2024-06-28 11:45:07 Total fnbam requests in caller side: 235971; EAGAIN errors: 0; other errors: 1
2024-06-28 11:45:07 Pending sessions: 0
2024-06-28 11:45:07 Max session reached: 0
2024-06-28 11:45:07 Res 0: 233055
2024-06-28 11:45:07 Res 1: 715
2024-06-28 11:45:07 Res 2: 0
2024-06-28 11:45:07 Res 3: 1588
2024-06-28 11:45:07 Res 4: 0
2024-06-28 11:45:07 Res 5: 183
2024-06-28 11:45:07 Res 6: 0
2024-06-28 11:45:07 Res 7: 4093
2024-06-28 11:45:07 Res 8: 2
2024-06-28 11:45:07 Res 9: 0
2024-06-28 11:45:07 Res 10: 0
2024-06-28 11:45:07 Res 11: 0
2024-06-28 11:45:07 Res 12: 152
2024-06-28 11:45:07 Auth:
2024-06-28 11:45:07 requests: 6300
2024-06-28 11:45:07 sessions: 6300
2024-06-28 11:45:07 released: 6300
2024-06-28 11:45:07 Acct:
2024-06-28 11:45:07 requests: 1
2024-06-28 11:45:07 sessions: 0
2024-06-28 11:45:07 released: 0
2024-06-28 11:45:07 Cert:
2024-06-28 11:45:07 requests: 225414
2024-06-28 11:45:07 sessions: 225414
2024-06-28 11:45:07 released: 225414
2024-06-28 11:45:07 LDAP stats:
2024-06-28 11:45:07 total: 4454
2024-06-28 11:45:07 conn failures: 0
FW01 #
Created on 06-28-2024 03:26 AM Edited on 06-28-2024 03:27 AM
Hi @sidp ,
Thank you for attaching the logs.
Those two requests have failed for an "Unknown" reason (Res 3):
Res 3: 1586 <---- before debug
2024-06-28 11:45:07 Res 3: 1588 <---- after debug
It looks like there is a problem with the DNS resolution of the server mts.local, FortiGate is unable to find its correct IP address:
2024-06-28 11:44:51 [596] create_auth_session-Total 1 server(s) to try
2024-06-28 11:44:51 [246] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x3dc0
2024-06-28 11:44:51 [267] fnbamd_dns_parse_resp-req 0x1dc0: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:51 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc02.mts.local to ::, cur stack size:-1
2024-06-28 11:44:51 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc02.mts.local
2024-06-28 11:44:51 [246] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x1dc0
2024-06-28 11:44:51 [267] fnbamd_dns_parse_resp-req 0x1dc0: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:51 [36] __fnbamd_dns_req_del-DNS req 0x1dc0 (0x14353740) is removed. Current total: 2
2024-06-28 11:44:51 [47] __fnbamd_dns_req_del-DNS maintainer stopped.
2024-06-28 11:44:51 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc02.mts.local to 0.0.0.0, cur stack size:-1
2024-06-28 11:44:51 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc02.mts.local
2024-06-28 11:44:51 [907] __ldap_try_next_server-Try next server 'mts-dc03.mts.local' for 'mts.local'.
2024-06-28 11:44:51 [115] fnbamd_dns_resolv_ex-DNS req ipv4 0x1dc1 'mts-dc03.mts.local'
2024-06-28 11:44:51 [125] fnbamd_dns_resolv_ex-DNS req ipv6 0x3dc1 'mts-dc03.mts.local'
2024-06-28 11:44:51 [137] fnbamd_dns_resolv_ex-DNS maintainer started.
2024-06-28 11:44:51 [246] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x1dc1
2024-06-28 11:44:51 [267] fnbamd_dns_parse_resp-req 0x1dc1: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:51 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc03.mts.local to 0.0.0.0, cur stack size:-1
2024-06-28 11:44:51 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc03.mts.local
2024-06-28 11:44:51 [246] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x3dc1
2024-06-28 11:44:51 [267] fnbamd_dns_parse_resp-req 0x1dc1: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:51 [36] __fnbamd_dns_req_del-DNS req 0x1dc1 (0x14353740) is removed. Current total: 2
2024-06-28 11:44:51 [47] __fnbamd_dns_req_del-DNS maintainer stopped.
2024-06-28 11:44:51 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc03.mts.local to ::, cur stack size:-1
2024-06-28 11:44:51 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc03.mts.local
2024-06-28 11:44:51 [902] __ldap_try_next_server-No more server to try for 'mts.local'.
Please try to investigate why the DNS name resolution is failing. You could run a packet sniffer on the FortiGate at the same time of the ssl/fnbamd debug.
As a temporary workaround you could try configuring the IP rather than the name of the LDAP server.
Best regards,
Hi @fricci_FTNT
Hi @sidp ,
You are welcome. Please let us know if the issue occurs again.
Can you provide the following outputs, please:
show system dns
show system dns-database
diag test application dnsproxy 2 #<---run this x2 times
diag test application dnsproxy 3 #<---run this x2 times
Best regards,
Hi @fricci_FTNT
83.13x.yx.xy is the public ISP DNS and 10.1.1.12 is our internal DNS from active directory (LDAP Server).
FW01 # show system dns
config system dns
set primary 83.13x.yx.xy
set secondary 10.1.1.12
set domain "mts.local" "mlab.local"
end
FW01 # show system dns-database
config system dns-database
end
FW01 # diag test application dnsproxy 2
worker idx: 0
worker: count=1 idx=0
retry_interval=500 query_timeout=1495
DNS latency info:
vfid=0 server=83.13x.yx.xy latency=6 updated=1641
vfid=0 server=10.1.1.12 latency=1 updated=404
SDNS latency info:
DNS_CACHE: alloc=35, hit=119232
RATING_CACHE: alloc=0, hit=0
DNS query: alloc=0
DNS UDP: req=2220657 res=2204524 fwd=2085560 cmp=1879 retrans=231 to=47
cur=38 switched=1205126768 num_switched=20339
v6_cur=0 v6_switched=0 num_v6_switched=0
DNS FTGD: ftg_fwd=0, ftg_res=0, ftg_retrans=0
DNS TCP: req=0, res=12, fwd=12, retrans=0, to=0
DNS TCP connections:
FQDN: alloc=29 nl_write_cnt=765354 nl_send_cnt=983584 nl_cur_cnt=1
Botnet: searched=0 hit=0
FW01 # diag test application dnsproxy 2
worker idx: 0
worker: count=1 idx=0
retry_interval=500 query_timeout=1495
DNS latency info:
vfid=0 server=83.13x.yx.xy latency=6 updated=1804
vfid=0 server=10.1.1.12 latency=1 updated=567
SDNS latency info:
DNS_CACHE: alloc=35, hit=119232
RATING_CACHE: alloc=0, hit=0
DNS query: alloc=0
DNS UDP: req=2220657 res=2204524 fwd=2085560 cmp=1879 retrans=231 to=47
cur=38 switched=1205126768 num_switched=20339
v6_cur=0 v6_switched=0 num_v6_switched=0
DNS FTGD: ftg_fwd=0, ftg_res=0, ftg_retrans=0
DNS TCP: req=0, res=12, fwd=12, retrans=0, to=0
DNS TCP connections:
FQDN: alloc=29 nl_write_cnt=765355 nl_send_cnt=983585 nl_cur_cnt=0
Botnet: searched=0 hit=0
FW01 # diag test application dnsproxy 3
worker idx: 0
vdom: root, index=0, is master, vdom dns is enabled, mip-169.254.0.1 dns_log=1 tls=0 cert=Fortinet_Factory
dns64 is disabled
dns-server:83.13x.yx.xy:53 tz=0 tls=0 req=899653 to=108 res=899521 rt=6 ready=1 timer=0 probe=0 failure=0 last_failed=0
dns-server:10.1.1.12:53 tz=0 tls=0 req=1185865 to=69 res=1185796 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
Interface selecting method: auto
Specified interface:
FortiGuard interface selecting method: auto
FortiGuard specified interface:
DNS search domain: mts.local, mlab.local,
DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000
DNS FD: udp_s=10 udp_c=22:23 ha_c=27 unix_s=11, unix_nb_s=28, unix_nc_s=12
v6_udp_s=9, v6_udp_c=25:26, snmp=29, redir=18, v6_redir=19
DNS FD: tcp_s=13, tcp_s6=14, redir=30 v6_redir=31
FGD_DNS_SERVICE_LICENSE:
FGD_CATEGORY_VERSION:8
SERVER_LDB: gid=cf6a, tz=60, error_allow=0
FGD_REDIR_V4:FGD_REDIR_V6:
FW01 # diag test application dnsproxy 3
worker idx: 0
vdom: root, index=0, is master, vdom dns is enabled, mip-169.254.0.1 dns_log=1 tls=0 cert=Fortinet_Factory
dns64 is disabled
dns-server:83.13x.yx.xy:53 tz=0 tls=0 req=899653 to=108 res=899521 rt=6 ready=1 timer=0 probe=0 failure=0 last_failed=0
dns-server:10.1.1.12:53 tz=0 tls=0 req=1185865 to=69 res=1185796 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
Interface selecting method: auto
Specified interface:
FortiGuard interface selecting method: auto
FortiGuard specified interface:
DNS search domain: mts.local, mlab.local,
DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000
DNS FD: udp_s=10 udp_c=22:23 ha_c=27 unix_s=11, unix_nb_s=28, unix_nc_s=12
v6_udp_s=9, v6_udp_c=25:26, snmp=29, redir=18, v6_redir=19
DNS FD: tcp_s=13, tcp_s6=14, redir=30 v6_redir=31
FGD_DNS_SERVICE_LICENSE:
FGD_CATEGORY_VERSION:8
SERVER_LDB: gid=cf6a, tz=60, error_allow=0
FGD_REDIR_V4:FGD_REDIR_V6:
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1663 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.