FortiClient VPN stops at 48% with warning -7200

sidp · ‎06-27-2024

Hi,

Our users keep having problems logging in with Forticlient VPN only.
It happens very often that Forticlient stops at 48% and issues the warning -7200. Sometimes you have to repeat the login process 3-7 times and then the client asks for the Fortitoken and can then log in successfully.

FortiOS v6.4.15

We are using LDAP authentication with Fortitoken.

It doesn't matter whether I set username-sensitivity to disable or leave it at default enable.

Does anyone know the problem and can help?

[326:root:d3a]allocSSLConn:298 sconn 0x7f268edacd00 (0:root)
[326:root:d3a]SSL state:before SSL initialization (77.239.xy.xyx)
[326:root:d3a]SSL state:before SSL initialization:DH lib(77.239.xy.xyx)
[326:root:d3a]SSL_accept failed, 5:(null)
[326:root:d3a]Destroy sconn 0x7f268edacd00, connSize=1. (root)
[327:root:d3c]allocSSLConn:298 sconn 0x7f268edac800 (0:root)
[327:root:d3c]SSL state:before SSL initialization (77.239.xy.xyx)
[327:root:d3c]SSL state:before SSL initialization (77.239.xy.xyx)
[327:root:d3c]got SNI server name: sslvpn.url.com realm (null)
[327:root:d3c]client cert requirement: no
[327:root:d3c]SSL state:SSLv3/TLS read client hello (77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS write server hello (77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS write certificate (77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS write key exchange (77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS write server done (77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS write server done:system lib(77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS write server done (77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS read client key exchange (77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS read change cipher spec (77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS read finished (77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS write session ticket (77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS write change cipher spec (77.239.xy.xyx)
[327:root:d3c]SSL state:SSLv3/TLS write finished (77.239.xy.xyx)
[327:root:d3c]SSL state:SSL negotiation finished successfully (77.239.xy.xyx)
[327:root:d3c]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[327:root:d3c]req: /remote/info
[327:root:d3c]capability flags: 0xdf
[327:root:d3c]req: /remote/login?realm=mts
[327:root:d3c]rmt_web_auth_info_parser_common:465 no session id in auth info
[327:root:d3c]rmt_web_get_access_cache:808 invalid cache, ret=4103
[327:root:d3c]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[327:root:d3c]get_cust_page:127 saml_info 0
[327:root:d3c]req: /remote/logincheck
[327:root:d3c]rmt_web_auth_info_parser_common:465 no session id in auth info
[327:root:d3c]rmt_web_access_check:727 access failed, uri=[/remote/logincheck],ret=4103,
[327:root:d3c]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[327:root:d3c]rmt_logincheck_cb_handler:1255 user 'max' has a matched local entry.
[327:root:d3c]sslvpn_auth_check_usrgroup:2719 forming user/group list from policy.
[327:root:d3c]sslvpn_auth_check_usrgroup:2757 got user (0) group (3:0).
[327:root:d3c]sslvpn_validate_user_group_list:1843 validating with SSL VPN authentication rules (3), realm (mts).
[327:root:d3c]sslvpn_validate_user_group_list:1928 checking rule 2 cipher.
[327:root:d3c]sslvpn_validate_user_group_list:1936 checking rule 2 realm.
[327:root:d3c]sslvpn_validate_user_group_list:1947 checking rule 2 source intf.
[327:root:d3c]sslvpn_validate_user_group_list:1986 checking rule 2 vd source intf.
[327:root:d3c]sslvpn_validate_user_group_list:2267 rule 2 done, got user (0:0) group (1:0) peer group (0).
[327:root:d3c]sslvpn_validate_user_group_list:1928 checking rule 3 cipher.
[327:root:d3c]sslvpn_validate_user_group_list:1936 checking rule 3 realm.
[327:root:d3c]sslvpn_validate_user_group_list:1928 checking rule 4 cipher.
[327:root:d3c]sslvpn_validate_user_group_list:1936 checking rule 4 realm.
[327:root:d3c]sslvpn_validate_user_group_list:2275 got user (0:0) group (1:0) peer group (0).
[327:root:d3c]sslvpn_validate_user_group_list:2618 got user (0:0), group (1:0) peer group (0).
[327:root:d3c]sslvpn_update_user_group_list:1750 got user (0:0), group (1:0), peer group (0) after update.
[327:root:d3c]two factor check for max: off
[327:root:d3c]sslvpn_authenticate_user:167 authenticate user: [max]
[327:root:d3c]sslvpn_authenticate_user:174 create fam state
[327:root:d3c][fam_auth_send_req_internal:425] Groups sent to FNBAM:
[327:root:d3c]group_desc[0].grpname = ldap_dl-fg-sslvpn-realm-mts
[327:root:d3c][fam_auth_send_req_internal:437] FNBAM opt = 0X200420
[327:root:d3c]fam_auth_send_req_internal:513 fnbam_auth return: 4
[327:root:d3c]fam_auth_proc_resp:1287 fnbam_auth_update_result return: 3
[327:root:d3c][fam_auth_proc_resp:1385] Authenticated groups (1) by FNBAM:
[327:root:d3c]Received: auth_rsp_data.grp_list[0] = 3054238368
[327:root:d3c]login_failed:391 user[max],auth_type=1 failed [sslvpn_login_no_matching_policy]

DPadula · ‎06-27-2024

Hi sidp

Check the following link: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Possible-reasons-for-FortiClient-SSL...

48%.

Negotiation stops at this percentage if there is an issue with two-factor authentication.
If negotiation stops at this percentage with the error 'Credential or SSL VPN configuration is wrong (-7200)', recheck the credentials.
To resolve the 'Credential or SSL VPN configuration is wrong (-7200)' error, follow the steps in this article: Troubleshooting Tip: When logging in with SSL VPN, the error 'Credential or SSLVPN configuration is ....
Failure to connect via SSL VPN with 'Credential or SSL VPN configuration is wrong. (-7200)' message with 'sslvpn_login_cert_checked_error': Troubleshooting Tip: Failure to connect via SSL VPN with 'Credential or SSLVPN configuration is wron...

sidp · ‎06-27-2024

Hi DPadula

Thank you.

Wrong credentials is not possible, of course that was the first thing we checked and we've checked it many many times.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-When-logging-in-with-SSL-VPN-the-err... we tried that a few months ago but it didn't get any better...
Third links seems to be a certificate error but we get sslvpn_login_no_matching_policy

Other things I tested was changing some of the timeouts in global config.

config system global
set admintimeout 60
set ldapconntimeout 1500
set remoteauthtimeout 210
end

fricci_FTNT · ‎06-27-2024

Hi @sidp ,

Looking at the logs I can see that there is no policy matching:

[327:root:d3c]login_failed:391 user[max],auth_type=1 failed [sslvpn_login_no_matching_policy]

Could you run the following again and paste the output, please:

diagnose test application fnbamd 1
diagnose debug reset
diag debug console timestamp enable
diag debug application fnbamd 0x4
diag debug app sslvpn 0x10FF
diag debug enable

# try to connect to VPN and authenticate with LDAP

diag debug disable

diagnose test application fnbamd 1

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.

sidp · ‎06-27-2024

Hi fricci_FTNT,

I will test it but it may take some time since the error does not always occur and I do not know how to provoke it.

Br

sidp · ‎06-28-2024

Okay, I encountered the problem again and was able to capture the debug log.

Spoiler

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2024.06.28 11:43:52 =~=~=~=~=~=~=~=~=~=~=~=
FW01 # diagnose test application fnbamd 1 
Total fnbam requests in caller side: 235969; EAGAIN errors: 0; other errors: 1
Pending sessions: 0
Max session reached: 0
Res 0: 233055
Res 1: 715
Res 2: 0
Res 3: 1586
Res 4: 0
Res 5: 183
Res 6: 0
Res 7: 4093
Res 8: 2
Res 9: 0
Res 10: 0
Res 11: 0
Res 12: 152
Auth:
requests: 6298
sessions: 6298
released: 6298
Acct:
requests: 1
sessions: 0
released: 0
Cert:
requests: 225414
sessions: 225414
released: 225414
LDAP stats:
total: 4454
conn failures: 0

FW01 # diagnose debug reset FW01 # diag debug console timestamp enable FW01 # diag debug application fnbamd 0x4 Debug messages will be on for 30 minutes.
FW01 # diag debug app sslvpn 0x10FF Debug messages will be on for 30 minutes.
FW01 # diag debug enable FW01 # 2024-06-28 11:44:31 [28669:root:69b]allocSSLConn:298 sconn 0x7f268edc5800 (0:root)
2024-06-28 11:44:31 [28669:root:69b]SSL_accept failed, 5:(null)
2024-06-28 11:44:31 [28669:root:69b]Destroy sconn 0x7f268edc5800, connSize=0. (root)
2024-06-28 11:44:31 [28670:root:69b]allocSSLConn:298 sconn 0x7f268ed9d900 (0:root)
2024-06-28 11:44:31 [28670:root:69b]got SNI server name: sslvpn.url.com realm (null)
2024-06-28 11:44:31 [28670:root:69b]client cert requirement: no
2024-06-28 11:44:31 [28670:root:69b]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
2024-06-28 11:44:31 [28670:root:69b]capability flags: 0xdf
2024-06-28 11:44:31 [28670:root:69b]rmt_web_auth_info_parser_common:465 no session id in auth info
2024-06-28 11:44:31 [28670:root:69b]rmt_web_get_access_cache:808 invalid cache, ret=4103
2024-06-28 11:44:31 [28670:root:69b]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
2024-06-28 11:44:31 [28670:root:69b]get_cust_page:127 saml_info 0
2024-06-28 11:44:31 [28670:root:69b]rmt_web_auth_info_parser_common:465 no session id in auth info
2024-06-28 11:44:31 [28670:root:69b]rmt_web_access_check:727 access failed, uri=[/remote/logincheck],ret=4103,
2024-06-28 11:44:31 [28670:root:69b]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
2024-06-28 11:44:31 [28670:root:69b]rmt_logincheck_cb_handler:1255 user 'max' has a matched local entry.
2024-06-28 11:44:31 [28670:root:69b]sslvpn_auth_check_usrgroup:2719 forming user/group list from policy.
2024-06-28 11:44:31 [28670:root:69b]sslvpn_auth_check_usrgroup:2757 got user (0) group (3:0).
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1843 validating with SSL VPN authentication rules (3), realm (mts).
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1928 checking rule 2 cipher.
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1936 checking rule 2 realm.
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1947 checking rule 2 source intf.
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1986 checking rule 2 vd source intf.
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:2267 rule 2 done, got user (0:0) group (1:0) peer group (0).
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1928 checking rule 3 cipher.
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1936 checking rule 3 realm.
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1928 checking rule 4 cipher.
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1936 checking rule 4 realm.
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:2275 got user (0:0) group (1:0) peer group (0).
2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:2618 got user (0:0), group (1:0) peer group (0).
2024-06-28 11:44:31 [28670:root:69b]sslvpn_update_user_group_list:1750 got user (0:0), group (1:0), peer group (0) after update.
2024-06-28 11:44:31 [28670:root:69b]two factor check for max: off
2024-06-28 11:44:31 [28670:root:69b]sslvpn_authenticate_user:167 authenticate user: [max]
2024-06-28 11:44:31 [28670:root:69b]sslvpn_authenticate_user:174 create fam state
2024-06-28 11:44:31 [28670:root:69b][fam_auth_send_req_internal:425] Groups sent to FNBAM:
2024-06-28 11:44:31 [28670:root:69b]group_desc[0].grpname = ldap_dl-fg-sslvpn-realm-mts 
2024-06-28 11:44:31 [28670:root:69b][fam_auth_send_req_internal:437] FNBAM opt = 0X200420
2024-06-28 11:44:31 [28670:root:69b]fam_auth_send_req_internal:513 fnbam_auth return: 4
2024-06-28 11:44:31 [1901] handle_req-Rcvd auth req 1376404688 for max in opt=00200420 prot=11
2024-06-28 11:44:31 [617] fnbamd_pop3_start-max
2024-06-28 11:44:31 [380] radius_start-Didn't find radius servers (0)
2024-06-28 11:44:31 [752] auth_tac_plus_start-Didn't find tac_plus servers (0)
2024-06-28 11:44:31 [2151] __match_and_update_auth_user-Found a matching user in CMDB 'max'
2024-06-28 11:44:31 [1053] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'mts.local' for user 'max' in rgroup 'ldap_dl-fg-sslvpn-realm-mts' (3)
2024-06-28 11:44:31 [1131] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 1
2024-06-28 11:44:31 [1713] fnbamd_ldap_init-search filter is: sAMAccountName=max
2024-06-28 11:44:31 [1722] fnbamd_ldap_init-search base is: ou=mts,dc=mts,dc=local
2024-06-28 11:44:31 [115] fnbamd_dns_resolv_ex-DNS req ipv4 0x1dbe 'mts-dc02.mts.local'
2024-06-28 11:44:31 [125] fnbamd_dns_resolv_ex-DNS req ipv6 0x3dbe 'mts-dc02.mts.local'
2024-06-28 11:44:31 [137] fnbamd_dns_resolv_ex-DNS maintainer started.
2024-06-28 11:44:31 [596] create_auth_session-Total 1 server(s) to try
2024-06-28 11:44:31 [246] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x3dbe
2024-06-28 11:44:31 [267] fnbamd_dns_parse_resp-req 0x1dbe: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:31 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc02.mts.local to ::, cur stack size:-1
2024-06-28 11:44:31 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc02.mts.local
2024-06-28 11:44:31 [246] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x1dbe
2024-06-28 11:44:31 [267] fnbamd_dns_parse_resp-req 0x1dbe: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:31 [36] __fnbamd_dns_req_del-DNS req 0x1dbe (0x14353740) is removed. Current total: 2
2024-06-28 11:44:31 [47] __fnbamd_dns_req_del-DNS maintainer stopped.
2024-06-28 11:44:31 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc02.mts.local to 0.0.0.0, cur stack size:-1
2024-06-28 11:44:31 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc02.mts.local
2024-06-28 11:44:31 [907] __ldap_try_next_server-Try next server 'mts-dc03.mts.local' for 'mts.local'.
2024-06-28 11:44:31 [115] fnbamd_dns_resolv_ex-DNS req ipv4 0x1dbf 'mts-dc03.mts.local'
2024-06-28 11:44:31 [125] fnbamd_dns_resolv_ex-DNS req ipv6 0x3dbf 'mts-dc03.mts.local'
2024-06-28 11:44:31 [137] fnbamd_dns_resolv_ex-DNS maintainer started.
2024-06-28 11:44:31 [246] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x3dbf
2024-06-28 11:44:31 [267] fnbamd_dns_parse_resp-req 0x1dbf: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:31 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc03.mts.local to ::, cur stack size:-1
2024-06-28 11:44:31 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc03.mts.local
2024-06-28 11:44:31 [246] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x1dbf
2024-06-28 11:44:31 [267] fnbamd_dns_parse_resp-req 0x1dbf: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:31 [36] __fnbamd_dns_req_del-DNS req 0x1dbf (0x14353740) is removed. Current total: 2
2024-06-28 11:44:31 [47] __fnbamd_dns_req_del-DNS maintainer stopped.
2024-06-28 11:44:31 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc03.mts.local to 0.0.0.0, cur stack size:-1
2024-06-28 11:44:31 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc03.mts.local
2024-06-28 11:44:31 [902] __ldap_try_next_server-No more server to try for 'mts.local'.
2024-06-28 11:44:31 [217] fnbamd_comm_send_result-Sending result 3 (nid 0) for req 1376404688, len=2124
2024-06-28 11:44:31 [752] destroy_auth_session-delete session 1376404688
2024-06-28 11:44:31 [28670:root:69b]fam_auth_proc_resp:1287 fnbam_auth_update_result return: 3
2024-06-28 11:44:31 [28670:root:69b][fam_auth_proc_resp:1385] Authenticated groups (1) by FNBAM:
2024-06-28 11:44:31 [28670:root:69b]Received: auth_rsp_data.grp_list[0] = 3054238368 
2024-06-28 11:44:31 [28670:root:69b]login_failed:391 user[max],auth_type=1 failed [sslvpn_login_no_matching_policy]
2024-06-28 11:44:31 [28670:root:0]dump_one_blocklist:85 status=1;host=77.239.xy.xyx;fails=1;logintime=1719567871
2024-06-28 11:44:50 [28671:root:69d]allocSSLConn:298 sconn 0x7f268ed9d400 (0:root)
2024-06-28 11:44:50 [28671:root:69d]SSL_accept failed, 5:(null)
2024-06-28 11:44:50 [28671:root:69d]Destroy sconn 0x7f268ed9d400, connSize=3. (root)
2024-06-28 11:44:50 [28670:root:69b]sslvpn_read_request_common,663, ret=-1 error=-1, sconn=0x7f268ed9d900.
2024-06-28 11:44:50 [28670:root:69b]Destroy sconn 0x7f268ed9d900, connSize=2. (root)
2024-06-28 11:44:51 [28672:root:699]allocSSLConn:298 sconn 0x7f268ed9f200 (0:root)
2024-06-28 11:44:51 [28672:root:699]got SNI server name: sslvpn.url.com realm (null)
2024-06-28 11:44:51 [28672:root:699]client cert requirement: no
2024-06-28 11:44:51 [28672:root:699]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
2024-06-28 11:44:51 [28672:root:699]capability flags: 0xdf
2024-06-28 11:44:51 [28672:root:699]rmt_web_auth_info_parser_common:465 no session id in auth info
2024-06-28 11:44:51 [28672:root:699]rmt_web_get_access_cache:808 invalid cache, ret=4103
2024-06-28 11:44:51 [28672:root:699]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
2024-06-28 11:44:51 [28672:root:699]get_cust_page:127 saml_info 0
2024-06-28 11:44:51 [28672:root:699]rmt_web_auth_info_parser_common:465 no session id in auth info
2024-06-28 11:44:51 [28672:root:699]rmt_web_access_check:727 access failed, uri=[/remote/logincheck],ret=4103,
2024-06-28 11:44:51 [28672:root:699]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
2024-06-28 11:44:51 [28672:root:699]rmt_logincheck_cb_handler:1255 user 'max' has a matched local entry.
2024-06-28 11:44:51 [28672:root:699]sslvpn_auth_check_usrgroup:2719 forming user/group list from policy.
2024-06-28 11:44:51 [28672:root:699]sslvpn_auth_check_usrgroup:2757 got user (0) group (3:0).
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1843 validating with SSL VPN authentication rules (3), realm (mts).
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1928 checking rule 2 cipher.
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1936 checking rule 2 realm.
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1947 checking rule 2 source intf.
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1986 checking rule 2 vd source intf.
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:2267 rule 2 done, got user (0:0) group (1:0) peer group (0).
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1928 checking rule 3 cipher.
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1936 checking rule 3 realm.
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1928 checking rule 4 cipher.
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1936 checking rule 4 realm.
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:2275 got user (0:0) group (1:0) peer group (0).
2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:2618 got user (0:0), group (1:0) peer group (0).
2024-06-28 11:44:51 [28672:root:699]sslvpn_update_user_group_list:1750 got user (0:0), group (1:0), peer group (0) after update.
2024-06-28 11:44:51 [28672:root:699]two factor check for max: off
2024-06-28 11:44:51 [28672:root:699]sslvpn_authenticate_user:167 authenticate user: [max]
2024-06-28 11:44:51 [28672:root:699]sslvpn_authenticate_user:174 create fam state
2024-06-28 11:44:51 [28672:root:699][fam_auth_send_req_internal:425] Groups sent to FNBAM:
2024-06-28 11:44:51 [28672:root:699]group_desc[0].grpname = ldap_dl-fg-sslvpn-realm-mts 
2024-06-28 11:44:51 [28672:root:699][fam_auth_send_req_internal:437] FNBAM opt = 0X200420
2024-06-28 11:44:51 [28672:root:699]fam_auth_send_req_internal:513 fnbam_auth return: 4
2024-06-28 11:44:51 [1901] handle_req-Rcvd auth req 1376404689 for max in opt=00200420 prot=11
2024-06-28 11:44:51 [617] fnbamd_pop3_start-max
2024-06-28 11:44:51 [380] radius_start-Didn't find radius servers (0)
2024-06-28 11:44:51 [752] auth_tac_plus_start-Didn't find tac_plus servers (0)
2024-06-28 11:44:51 [2151] __match_and_update_auth_user-Found a matching user in CMDB 'max'
2024-06-28 11:44:51 [1053] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'mts.local' for user 'max' in rgroup 'ldap_dl-fg-sslvpn-realm-mts' (3)
2024-06-28 11:44:51 [1131] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 1
2024-06-28 11:44:51 [1713] fnbamd_ldap_init-search filter is: sAMAccountName=max
2024-06-28 11:44:51 [1722] fnbamd_ldap_init-search base is: ou=mts,dc=mts,dc=local
2024-06-28 11:44:51 [115] fnbamd_dns_resolv_ex-DNS req ipv4 0x1dc0 'mts-dc02.mts.local'
2024-06-28 11:44:51 [125] fnbamd_dns_resolv_ex-DNS req ipv6 0x3dc0 'mts-dc02.mts.local'
2024-06-28 11:44:51 [137] fnbamd_dns_resolv_ex-DNS maintainer started.
2024-06-28 11:44:51 [596] create_auth_session-Total 1 server(s) to try
2024-06-28 11:44:51 [246] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x3dc0
2024-06-28 11:44:51 [267] fnbamd_dns_parse_resp-req 0x1dc0: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:51 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc02.mts.local to ::, cur stack size:-1
2024-06-28 11:44:51 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc02.mts.local
2024-06-28 11:44:51 [246] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x1dc0
2024-06-28 11:44:51 [267] fnbamd_dns_parse_resp-req 0x1dc0: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:51 [36] __fnbamd_dns_req_del-DNS req 0x1dc0 (0x14353740) is removed. Current total: 2
2024-06-28 11:44:51 [47] __fnbamd_dns_req_del-DNS maintainer stopped.
2024-06-28 11:44:51 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc02.mts.local to 0.0.0.0, cur stack size:-1
2024-06-28 11:44:51 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc02.mts.local
2024-06-28 11:44:51 [907] __ldap_try_next_server-Try next server 'mts-dc03.mts.local' for 'mts.local'.
2024-06-28 11:44:51 [115] fnbamd_dns_resolv_ex-DNS req ipv4 0x1dc1 'mts-dc03.mts.local'
2024-06-28 11:44:51 [125] fnbamd_dns_resolv_ex-DNS req ipv6 0x3dc1 'mts-dc03.mts.local'
2024-06-28 11:44:51 [137] fnbamd_dns_resolv_ex-DNS maintainer started.
2024-06-28 11:44:51 [246] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x1dc1
2024-06-28 11:44:51 [267] fnbamd_dns_parse_resp-req 0x1dc1: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:51 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc03.mts.local to 0.0.0.0, cur stack size:-1
2024-06-28 11:44:51 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc03.mts.local
2024-06-28 11:44:51 [246] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x3dc1
2024-06-28 11:44:51 [267] fnbamd_dns_parse_resp-req 0x1dc1: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:51 [36] __fnbamd_dns_req_del-DNS req 0x1dc1 (0x14353740) is removed. Current total: 2
2024-06-28 11:44:51 [47] __fnbamd_dns_req_del-DNS maintainer stopped.
2024-06-28 11:44:51 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc03.mts.local to ::, cur stack size:-1
2024-06-28 11:44:51 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc03.mts.local
2024-06-28 11:44:51 [902] __ldap_try_next_server-No more server to try for 'mts.local'.
2024-06-28 11:44:51 [217] fnbamd_comm_send_result-Sending result 3 (nid 0) for req 1376404689, len=2124
2024-06-28 11:44:51 [752] destroy_auth_session-delete session 1376404689
2024-06-28 11:44:51 [28672:root:699]fam_auth_proc_resp:1287 fnbam_auth_update_result return: 3
2024-06-28 11:44:51 [28672:root:699][fam_auth_proc_resp:1385] Authenticated groups (1) by FNBAM:
2024-06-28 11:44:51 [28672:root:699]Received: auth_rsp_data.grp_list[0] = 3054238368 
2024-06-28 11:44:51 [28672:root:699]login_failed:391 user[max],auth_type=1 failed [sslvpn_login_no_matching_policy]

FW01 # diag debug disable FW01 # diagnose test application fnbamd 1 
2024-06-28 11:45:07 Total fnbam requests in caller side: 235971; EAGAIN errors: 0; other errors: 1
2024-06-28 11:45:07 Pending sessions: 0
2024-06-28 11:45:07 Max session reached: 0
2024-06-28 11:45:07 Res 0: 233055
2024-06-28 11:45:07 Res 1: 715
2024-06-28 11:45:07 Res 2: 0
2024-06-28 11:45:07 Res 3: 1588
2024-06-28 11:45:07 Res 4: 0
2024-06-28 11:45:07 Res 5: 183
2024-06-28 11:45:07 Res 6: 0
2024-06-28 11:45:07 Res 7: 4093
2024-06-28 11:45:07 Res 8: 2
2024-06-28 11:45:07 Res 9: 0
2024-06-28 11:45:07 Res 10: 0
2024-06-28 11:45:07 Res 11: 0
2024-06-28 11:45:07 Res 12: 152
2024-06-28 11:45:07 Auth:
2024-06-28 11:45:07 requests: 6300
2024-06-28 11:45:07 sessions: 6300
2024-06-28 11:45:07 released: 6300
2024-06-28 11:45:07 Acct:
2024-06-28 11:45:07 requests: 1
2024-06-28 11:45:07 sessions: 0
2024-06-28 11:45:07 released: 0
2024-06-28 11:45:07 Cert:
2024-06-28 11:45:07 requests: 225414
2024-06-28 11:45:07 sessions: 225414
2024-06-28 11:45:07 released: 225414
2024-06-28 11:45:07 LDAP stats:
2024-06-28 11:45:07 total: 4454
2024-06-28 11:45:07 conn failures: 0

FW01 #

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2024.06.28 11:43:52 =~=~=~=~=~=~=~=~=~=~=~=FW01 # diagnose test application fnbamd 1 Total fnbam requests in caller side: 235969; EAGAIN errors: 0; other errors: 1Pending sessions: 0Max session reached: 0Res 0: 233055Res 1: 715Res 2: 0Res 3: 1586Res 4: 0Res 5: 183Res 6: 0Res 7: 4093Res 8: 2Res 9: 0Res 10: 0Res 11: 0Res 12: 152Auth:requests: 6298sessions: 6298released: 6298Acct:requests: 1sessions: 0released: 0Cert:requests: 225414sessions: 225414released: 225414LDAP stats:total: 4454conn failures: 0FW01 # diagnose debug reset FW01 # diag debug console timestamp enable FW01 # diag debug application fnbamd 0x4 Debug messages will be on for 30 minutes.FW01 # diag debug app sslvpn 0x10FF Debug messages will be on for 30 minutes.FW01 # diag debug enable FW01 # 2024-06-28 11:44:31 [28669:root:69b]allocSSLConn:298 sconn 0x7f268edc5800 (0:root)2024-06-28 11:44:31 [28669:root:69b]SSL_accept failed, 5:(null)2024-06-28 11:44:31 [28669:root:69b]Destroy sconn 0x7f268edc5800, connSize=0. (root)2024-06-28 11:44:31 [28670:root:69b]allocSSLConn:298 sconn 0x7f268ed9d900 (0:root)2024-06-28 11:44:31 [28670:root:69b]got SNI server name: sslvpn.url.com realm (null)2024-06-28 11:44:31 [28670:root:69b]client cert requirement: no2024-06-28 11:44:31 [28670:root:69b]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA3842024-06-28 11:44:31 [28670:root:69b]capability flags: 0xdf2024-06-28 11:44:31 [28670:root:69b]rmt_web_auth_info_parser_common:465 no session id in auth info2024-06-28 11:44:31 [28670:root:69b]rmt_web_get_access_cache:808 invalid cache, ret=41032024-06-28 11:44:31 [28670:root:69b]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])2024-06-28 11:44:31 [28670:root:69b]get_cust_page:127 saml_info 02024-06-28 11:44:31 [28670:root:69b]rmt_web_auth_info_parser_common:465 no session id in auth info2024-06-28 11:44:31 [28670:root:69b]rmt_web_access_check:727 access failed, uri=[/remote/logincheck],ret=4103,2024-06-28 11:44:31 [28670:root:69b]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])2024-06-28 11:44:31 [28670:root:69b]rmt_logincheck_cb_handler:1255 user 'max' has a matched local entry.2024-06-28 11:44:31 [28670:root:69b]sslvpn_auth_check_usrgroup:2719 forming user/group list from policy.2024-06-28 11:44:31 [28670:root:69b]sslvpn_auth_check_usrgroup:2757 got user (0) group (3:0).2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1843 validating with SSL VPN authentication rules (3), realm (mts).2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1928 checking rule 2 cipher.2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1936 checking rule 2 realm.2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1947 checking rule 2 source intf.2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1986 checking rule 2 vd source intf.2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:2267 rule 2 done, got user (0:0) group (1:0) peer group (0).2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1928 checking rule 3 cipher.2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1936 checking rule 3 realm.2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1928 checking rule 4 cipher.2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:1936 checking rule 4 realm.2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:2275 got user (0:0) group (1:0) peer group (0).2024-06-28 11:44:31 [28670:root:69b]sslvpn_validate_user_group_list:2618 got user (0:0), group (1:0) peer group (0).2024-06-28 11:44:31 [28670:root:69b]sslvpn_update_user_group_list:1750 got user (0:0), group (1:0), peer group (0) after update.2024-06-28 11:44:31 [28670:root:69b]two factor check for max: off2024-06-28 11:44:31 [28670:root:69b]sslvpn_authenticate_user:167 authenticate user: [max]2024-06-28 11:44:31 [28670:root:69b]sslvpn_authenticate_user:174 create fam state2024-06-28 11:44:31 [28670:root:69b][fam_auth_send_req_internal:425] Groups sent to FNBAM:2024-06-28 11:44:31 [28670:root:69b]group_desc[0].grpname = ldap_dl-fg-sslvpn-realm-mts 2024-06-28 11:44:31 [28670:root:69b][fam_auth_send_req_internal:437] FNBAM opt = 0X2004202024-06-28 11:44:31 [28670:root:69b]fam_auth_send_req_internal:513 fnbam_auth return: 42024-06-28 11:44:31 [1901] handle_req-Rcvd auth req 1376404688 for max in opt=00200420 prot=112024-06-28 11:44:31 [617] fnbamd_pop3_start-max2024-06-28 11:44:31 [380] radius_start-Didn't find radius servers (0)2024-06-28 11:44:31 [752] auth_tac_plus_start-Didn't find tac_plus servers (0)2024-06-28 11:44:31 [2151] __match_and_update_auth_user-Found a matching user in CMDB 'max'2024-06-28 11:44:31 [1053] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'mts.local' for user 'max' in rgroup 'ldap_dl-fg-sslvpn-realm-mts' (3)2024-06-28 11:44:31 [1131] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 12024-06-28 11:44:31 [1713] fnbamd_ldap_init-search filter is: sAMAccountName=max2024-06-28 11:44:31 [1722] fnbamd_ldap_init-search base is: ou=mts,dc=mts,dc=local2024-06-28 11:44:31 [115] fnbamd_dns_resolv_ex-DNS req ipv4 0x1dbe 'mts-dc02.mts.local'2024-06-28 11:44:31 [125] fnbamd_dns_resolv_ex-DNS req ipv6 0x3dbe 'mts-dc02.mts.local'2024-06-28 11:44:31 [137] fnbamd_dns_resolv_ex-DNS maintainer started.2024-06-28 11:44:31 [596] create_auth_session-Total 1 server(s) to try2024-06-28 11:44:31 [246] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x3dbe2024-06-28 11:44:31 [267] fnbamd_dns_parse_resp-req 0x1dbe: wrong dns format, qr=1, opcode=0, qdc=1, ancount=02024-06-28 11:44:31 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc02.mts.local to ::, cur stack size:-12024-06-28 11:44:31 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc02.mts.local2024-06-28 11:44:31 [246] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x1dbe2024-06-28 11:44:31 [267] fnbamd_dns_parse_resp-req 0x1dbe: wrong dns format, qr=1, opcode=0, qdc=1, ancount=02024-06-28 11:44:31 [36] __fnbamd_dns_req_del-DNS req 0x1dbe (0x14353740) is removed. Current total: 22024-06-28 11:44:31 [47] __fnbamd_dns_req_del-DNS maintainer stopped.2024-06-28 11:44:31 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc02.mts.local to 0.0.0.0, cur stack size:-12024-06-28 11:44:31 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc02.mts.local2024-06-28 11:44:31 [907] __ldap_try_next_server-Try next server 'mts-dc03.mts.local' for 'mts.local'.2024-06-28 11:44:31 [115] fnbamd_dns_resolv_ex-DNS req ipv4 0x1dbf 'mts-dc03.mts.local'2024-06-28 11:44:31 [125] fnbamd_dns_resolv_ex-DNS req ipv6 0x3dbf 'mts-dc03.mts.local'2024-06-28 11:44:31 [137] fnbamd_dns_resolv_ex-DNS maintainer started.2024-06-28 11:44:31 [246] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x3dbf2024-06-28 11:44:31 [267] fnbamd_dns_parse_resp-req 0x1dbf: wrong dns format, qr=1, opcode=0, qdc=1, ancount=02024-06-28 11:44:31 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc03.mts.local to ::, cur stack size:-12024-06-28 11:44:31 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc03.mts.local2024-06-28 11:44:31 [246] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x1dbf2024-06-28 11:44:31 [267] fnbamd_dns_parse_resp-req 0x1dbf: wrong dns format, qr=1, opcode=0, qdc=1, ancount=02024-06-28 11:44:31 [36] __fnbamd_dns_req_del-DNS req 0x1dbf (0x14353740) is removed. Current total: 22024-06-28 11:44:31 [47] __fnbamd_dns_req_del-DNS maintainer stopped.2024-06-28 11:44:31 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc03.mts.local to 0.0.0.0, cur stack size:-12024-06-28 11:44:31 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc03.mts.local2024-06-28 11:44:31 [902] __ldap_try_next_server-No more server to try for 'mts.local'.2024-06-28 11:44:31 [217] fnbamd_comm_send_result-Sending result 3 (nid 0) for req 1376404688, len=21242024-06-28 11:44:31 [752] destroy_auth_session-delete session 13764046882024-06-28 11:44:31 [28670:root:69b]fam_auth_proc_resp:1287 fnbam_auth_update_result return: 32024-06-28 11:44:31 [28670:root:69b][fam_auth_proc_resp:1385] Authenticated groups (1) by FNBAM:2024-06-28 11:44:31 [28670:root:69b]Received: auth_rsp_data.grp_list[0] = 3054238368 2024-06-28 11:44:31 [28670:root:69b]login_failed:391 user[max],auth_type=1 failed [sslvpn_login_no_matching_policy]2024-06-28 11:44:31 [28670:root:0]dump_one_blocklist:85 status=1;host=77.239.xy.xyx;fails=1;logintime=17195678712024-06-28 11:44:50 [28671:root:69d]allocSSLConn:298 sconn 0x7f268ed9d400 (0:root)2024-06-28 11:44:50 [28671:root:69d]SSL_accept failed, 5:(null)2024-06-28 11:44:50 [28671:root:69d]Destroy sconn 0x7f268ed9d400, connSize=3. (root)2024-06-28 11:44:50 [28670:root:69b]sslvpn_read_request_common,663, ret=-1 error=-1, sconn=0x7f268ed9d900.2024-06-28 11:44:50 [28670:root:69b]Destroy sconn 0x7f268ed9d900, connSize=2. (root)2024-06-28 11:44:51 [28672:root:699]allocSSLConn:298 sconn 0x7f268ed9f200 (0:root)2024-06-28 11:44:51 [28672:root:699]got SNI server name: sslvpn.url.com realm (null)2024-06-28 11:44:51 [28672:root:699]client cert requirement: no2024-06-28 11:44:51 [28672:root:699]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA3842024-06-28 11:44:51 [28672:root:699]capability flags: 0xdf2024-06-28 11:44:51 [28672:root:699]rmt_web_auth_info_parser_common:465 no session id in auth info2024-06-28 11:44:51 [28672:root:699]rmt_web_get_access_cache:808 invalid cache, ret=41032024-06-28 11:44:51 [28672:root:699]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])2024-06-28 11:44:51 [28672:root:699]get_cust_page:127 saml_info 02024-06-28 11:44:51 [28672:root:699]rmt_web_auth_info_parser_common:465 no session id in auth info2024-06-28 11:44:51 [28672:root:699]rmt_web_access_check:727 access failed, uri=[/remote/logincheck],ret=4103,2024-06-28 11:44:51 [28672:root:699]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])2024-06-28 11:44:51 [28672:root:699]rmt_logincheck_cb_handler:1255 user 'max' has a matched local entry.2024-06-28 11:44:51 [28672:root:699]sslvpn_auth_check_usrgroup:2719 forming user/group list from policy.2024-06-28 11:44:51 [28672:root:699]sslvpn_auth_check_usrgroup:2757 got user (0) group (3:0).2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1843 validating with SSL VPN authentication rules (3), realm (mts).2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1928 checking rule 2 cipher.2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1936 checking rule 2 realm.2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1947 checking rule 2 source intf.2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1986 checking rule 2 vd source intf.2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:2267 rule 2 done, got user (0:0) group (1:0) peer group (0).2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1928 checking rule 3 cipher.2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1936 checking rule 3 realm.2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1928 checking rule 4 cipher.2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:1936 checking rule 4 realm.2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:2275 got user (0:0) group (1:0) peer group (0).2024-06-28 11:44:51 [28672:root:699]sslvpn_validate_user_group_list:2618 got user (0:0), group (1:0) peer group (0).2024-06-28 11:44:51 [28672:root:699]sslvpn_update_user_group_list:1750 got user (0:0), group (1:0), peer group (0) after update.2024-06-28 11:44:51 [28672:root:699]two factor check for max: off2024-06-28 11:44:51 [28672:root:699]sslvpn_authenticate_user:167 authenticate user: [max]2024-06-28 11:44:51 [28672:root:699]sslvpn_authenticate_user:174 create fam state2024-06-28 11:44:51 [28672:root:699][fam_auth_send_req_internal:425] Groups sent to FNBAM:2024-06-28 11:44:51 [28672:root:699]group_desc[0].grpname = ldap_dl-fg-sslvpn-realm-mts 2024-06-28 11:44:51 [28672:root:699][fam_auth_send_req_internal:437] FNBAM opt = 0X2004202024-06-28 11:44:51 [28672:root:699]fam_auth_send_req_internal:513 fnbam_auth return: 42024-06-28 11:44:51 [1901] handle_req-Rcvd auth req 1376404689 for max in opt=00200420 prot=112024-06-28 11:44:51 [617] fnbamd_pop3_start-max2024-06-28 11:44:51 [380] radius_start-Didn't find radius servers (0)2024-06-28 11:44:51 [752] auth_tac_plus_start-Didn't find tac_plus servers (0)2024-06-28 11:44:51 [2151] __match_and_update_auth_user-Found a matching user in CMDB 'max'2024-06-28 11:44:51 [1053] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'mts.local' for user 'max' in rgroup 'ldap_dl-fg-sslvpn-realm-mts' (3)2024-06-28 11:44:51 [1131] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 12024-06-28 11:44:51 [1713] fnbamd_ldap_init-search filter is: sAMAccountName=max2024-06-28 11:44:51 [1722] fnbamd_ldap_init-search base is: ou=mts,dc=mts,dc=local2024-06-28 11:44:51 [115] fnbamd_dns_resolv_ex-DNS req ipv4 0x1dc0 'mts-dc02.mts.local'2024-06-28 11:44:51 [125] fnbamd_dns_resolv_ex-DNS req ipv6 0x3dc0 'mts-dc02.mts.local'2024-06-28 11:44:51 [137] fnbamd_dns_resolv_ex-DNS maintainer started.2024-06-28 11:44:51 [596] create_auth_session-Total 1 server(s) to try2024-06-28 11:44:51 [246] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x3dc02024-06-28 11:44:51 [267] fnbamd_dns_parse_resp-req 0x1dc0: wrong dns format, qr=1, opcode=0, qdc=1, ancount=02024-06-28 11:44:51 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc02.mts.local to ::, cur stack size:-12024-06-28 11:44:51 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc02.mts.local2024-06-28 11:44:51 [246] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x1dc02024-06-28 11:44:51 [267] fnbamd_dns_parse_resp-req 0x1dc0: wrong dns format, qr=1, opcode=0, qdc=1, ancount=02024-06-28 11:44:51 [36] __fnbamd_dns_req_del-DNS req 0x1dc0 (0x14353740) is removed. Current total: 22024-06-28 11:44:51 [47] __fnbamd_dns_req_del-DNS maintainer stopped.2024-06-28 11:44:51 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc02.mts.local to 0.0.0.0, cur stack size:-12024-06-28 11:44:51 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc02.mts.local2024-06-28 11:44:51 [907] __ldap_try_next_server-Try next server 'mts-dc03.mts.local' for 'mts.local'.2024-06-28 11:44:51 [115] fnbamd_dns_resolv_ex-DNS req ipv4 0x1dc1 'mts-dc03.mts.local'2024-06-28 11:44:51 [125] fnbamd_dns_resolv_ex-DNS req ipv6 0x3dc1 'mts-dc03.mts.local'2024-06-28 11:44:51 [137] fnbamd_dns_resolv_ex-DNS maintainer started.2024-06-28 11:44:51 [246] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x1dc12024-06-28 11:44:51 [267] fnbamd_dns_parse_resp-req 0x1dc1: wrong dns format, qr=1, opcode=0, qdc=1, ancount=02024-06-28 11:44:51 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc03.mts.local to 0.0.0.0, cur stack size:-12024-06-28 11:44:51 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc03.mts.local2024-06-28 11:44:51 [246] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x3dc12024-06-28 11:44:51 [267] fnbamd_dns_parse_resp-req 0x1dc1: wrong dns format, qr=1, opcode=0, qdc=1, ancount=02024-06-28 11:44:51 [36] __fnbamd_dns_req_del-DNS req 0x1dc1 (0x14353740) is removed. Current total: 22024-06-28 11:44:51 [47] __fnbamd_dns_req_del-DNS maintainer stopped.2024-06-28 11:44:51 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc03.mts.local to ::, cur stack size:-12024-06-28 11:44:51 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc03.mts.local2024-06-28 11:44:51 [902] __ldap_try_next_server-No more server to try for 'mts.local'.2024-06-28 11:44:51 [217] fnbamd_comm_send_result-Sending result 3 (nid 0) for req 1376404689, len=21242024-06-28 11:44:51 [752] destroy_auth_session-delete session 13764046892024-06-28 11:44:51 [28672:root:699]fam_auth_proc_resp:1287 fnbam_auth_update_result return: 32024-06-28 11:44:51 [28672:root:699][fam_auth_proc_resp:1385] Authenticated groups (1) by FNBAM:2024-06-28 11:44:51 [28672:root:699]Received: auth_rsp_data.grp_list[0] = 3054238368 2024-06-28 11:44:51 [28672:root:699]login_failed:391 user[max],auth_type=1 failed [sslvpn_login_no_matching_policy]FW01 # diag debug disable FW01 # diagnose test application fnbamd 1 2024-06-28 11:45:07 Total fnbam requests in caller side: 235971; EAGAIN errors: 0; other errors: 12024-06-28 11:45:07 Pending sessions: 02024-06-28 11:45:07 Max session reached: 02024-06-28 11:45:07 Res 0: 2330552024-06-28 11:45:07 Res 1: 7152024-06-28 11:45:07 Res 2: 02024-06-28 11:45:07 Res 3: 15882024-06-28 11:45:07 Res 4: 02024-06-28 11:45:07 Res 5: 1832024-06-28 11:45:07 Res 6: 02024-06-28 11:45:07 Res 7: 40932024-06-28 11:45:07 Res 8: 22024-06-28 11:45:07 Res 9: 02024-06-28 11:45:07 Res 10: 02024-06-28 11:45:07 Res 11: 02024-06-28 11:45:07 Res 12: 1522024-06-28 11:45:07 Auth:2024-06-28 11:45:07 requests: 63002024-06-28 11:45:07 sessions: 63002024-06-28 11:45:07 released: 63002024-06-28 11:45:07 Acct:2024-06-28 11:45:07 requests: 12024-06-28 11:45:07 sessions: 02024-06-28 11:45:07 released: 02024-06-28 11:45:07 Cert:2024-06-28 11:45:07 requests: 2254142024-06-28 11:45:07 sessions: 2254142024-06-28 11:45:07 released: 2254142024-06-28 11:45:07 LDAP stats:2024-06-28 11:45:07 total: 44542024-06-28 11:45:07 conn failures: 0FW01 #

fricci_FTNT · ‎06-28-2024

Hi @sidp ,

Thank you for attaching the logs.

Those two requests have failed for an "Unknown" reason (Res 3):

Res 3: 1586 <---- before debug

2024-06-28 11:45:07 Res 3: 1588 <---- after debug

It looks like there is a problem with the DNS resolution of the server mts.local, FortiGate is unable to find its correct IP address:

2024-06-28 11:44:51 [596] create_auth_session-Total 1 server(s) to try
2024-06-28 11:44:51 [246] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x3dc0
2024-06-28 11:44:51 [267] fnbamd_dns_parse_resp-req 0x1dc0: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:51 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc02.mts.local to ::, cur stack size:-1
2024-06-28 11:44:51 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc02.mts.local
2024-06-28 11:44:51 [246] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x1dc0
2024-06-28 11:44:51 [267] fnbamd_dns_parse_resp-req 0x1dc0: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:51 [36] __fnbamd_dns_req_del-DNS req 0x1dc0 (0x14353740) is removed. Current total: 2
2024-06-28 11:44:51 [47] __fnbamd_dns_req_del-DNS maintainer stopped.
2024-06-28 11:44:51 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc02.mts.local to 0.0.0.0, cur stack size:-1
2024-06-28 11:44:51 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc02.mts.local
2024-06-28 11:44:51 [907] __ldap_try_next_server-Try next server 'mts-dc03.mts.local' for 'mts.local'.
2024-06-28 11:44:51 [115] fnbamd_dns_resolv_ex-DNS req ipv4 0x1dc1 'mts-dc03.mts.local'
2024-06-28 11:44:51 [125] fnbamd_dns_resolv_ex-DNS req ipv6 0x3dc1 'mts-dc03.mts.local'
2024-06-28 11:44:51 [137] fnbamd_dns_resolv_ex-DNS maintainer started.
2024-06-28 11:44:51 [246] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x1dc1
2024-06-28 11:44:51 [267] fnbamd_dns_parse_resp-req 0x1dc1: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:51 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc03.mts.local to 0.0.0.0, cur stack size:-1
2024-06-28 11:44:51 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc03.mts.local
2024-06-28 11:44:51 [246] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x3dc1
2024-06-28 11:44:51 [267] fnbamd_dns_parse_resp-req 0x1dc1: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2024-06-28 11:44:51 [36] __fnbamd_dns_req_del-DNS req 0x1dc1 (0x14353740) is removed. Current total: 2
2024-06-28 11:44:51 [47] __fnbamd_dns_req_del-DNS maintainer stopped.
2024-06-28 11:44:51 [1146] __fnbamd_ldap_dns_cb-Resolved mts.local:mts-dc03.mts.local to ::, cur stack size:-1
2024-06-28 11:44:51 [1160] __fnbamd_ldap_dns_cb-No valid address is found for mts.local:mts-dc03.mts.local
2024-06-28 11:44:51 [902] __ldap_try_next_server-No more server to try for 'mts.local'.

Please try to investigate why the DNS name resolution is failing. You could run a packet sniffer on the FortiGate at the same time of the ssl/fnbamd debug.
As a temporary workaround you could try configuring the IP rather than the name of the LDAP server.

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.

sidp · ‎06-28-2024

Hi @fricci_FTNT

Thank you so far.

I changed it to IP for the moment and will check if it still occurs.

Our internal DNS is set as secondary and primary is our ISP. I read somewhere that the internal DNS has to be configured as secondary for internal queries to work.

fricci_FTNT · ‎06-28-2024

Hi @sidp ,
You are welcome. Please let us know if the issue occurs again.

Can you provide the following outputs, please:
show system dns
show system dns-database
diag test application dnsproxy 2 #<---run this x2 times
diag test application dnsproxy 3 #<---run this x2 times

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.

sidp · ‎07-01-2024

Hi @fricci_FTNT

83.13x.yx.xy is the public ISP DNS and 10.1.1.12 is our internal DNS from active directory (LDAP Server).

FW01 # show system dns
config system dns
set primary 83.13x.yx.xy
set secondary 10.1.1.12
set domain "mts.local" "mlab.local"
end

FW01 # show system dns-database
config system dns-database
end

FW01 # diag test application dnsproxy 2
worker idx: 0
worker: count=1 idx=0
retry_interval=500 query_timeout=1495
DNS latency info:
vfid=0 server=83.13x.yx.xy latency=6 updated=1641
vfid=0 server=10.1.1.12 latency=1 updated=404
SDNS latency info:
DNS_CACHE: alloc=35, hit=119232
RATING_CACHE: alloc=0, hit=0
DNS query: alloc=0
DNS UDP: req=2220657 res=2204524 fwd=2085560 cmp=1879 retrans=231 to=47
cur=38 switched=1205126768 num_switched=20339
v6_cur=0 v6_switched=0 num_v6_switched=0
DNS FTGD: ftg_fwd=0, ftg_res=0, ftg_retrans=0
DNS TCP: req=0, res=12, fwd=12, retrans=0, to=0

DNS TCP connections:

FQDN: alloc=29 nl_write_cnt=765354 nl_send_cnt=983584 nl_cur_cnt=1
Botnet: searched=0 hit=0

FW01 # diag test application dnsproxy 2
worker idx: 0
worker: count=1 idx=0
retry_interval=500 query_timeout=1495
DNS latency info:
vfid=0 server=83.13x.yx.xy latency=6 updated=1804
vfid=0 server=10.1.1.12 latency=1 updated=567
SDNS latency info:
DNS_CACHE: alloc=35, hit=119232
RATING_CACHE: alloc=0, hit=0
DNS query: alloc=0
DNS UDP: req=2220657 res=2204524 fwd=2085560 cmp=1879 retrans=231 to=47
cur=38 switched=1205126768 num_switched=20339
v6_cur=0 v6_switched=0 num_v6_switched=0
DNS FTGD: ftg_fwd=0, ftg_res=0, ftg_retrans=0
DNS TCP: req=0, res=12, fwd=12, retrans=0, to=0

DNS TCP connections:

FQDN: alloc=29 nl_write_cnt=765355 nl_send_cnt=983585 nl_cur_cnt=0
Botnet: searched=0 hit=0

FW01 # diag test application dnsproxy 3
worker idx: 0
vdom: root, index=0, is master, vdom dns is enabled, mip-169.254.0.1 dns_log=1 tls=0 cert=Fortinet_Factory
dns64 is disabled
dns-server:83.13x.yx.xy:53 tz=0 tls=0 req=899653 to=108 res=899521 rt=6 ready=1 timer=0 probe=0 failure=0 last_failed=0
dns-server:10.1.1.12:53 tz=0 tls=0 req=1185865 to=69 res=1185796 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
Interface selecting method: auto
Specified interface: 
FortiGuard interface selecting method: auto
FortiGuard specified interface: 
DNS search domain: mts.local, mlab.local, 
DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000
DNS FD: udp_s=10 udp_c=22:23 ha_c=27 unix_s=11, unix_nb_s=28, unix_nc_s=12
v6_udp_s=9, v6_udp_c=25:26, snmp=29, redir=18, v6_redir=19
DNS FD: tcp_s=13, tcp_s6=14, redir=30 v6_redir=31
FGD_DNS_SERVICE_LICENSE:
FGD_CATEGORY_VERSION:8
SERVER_LDB: gid=cf6a, tz=60, error_allow=0
FGD_REDIR_V4:FGD_REDIR_V6:

FW01 # diag test application dnsproxy 3
worker idx: 0
vdom: root, index=0, is master, vdom dns is enabled, mip-169.254.0.1 dns_log=1 tls=0 cert=Fortinet_Factory
dns64 is disabled
dns-server:83.13x.yx.xy:53 tz=0 tls=0 req=899653 to=108 res=899521 rt=6 ready=1 timer=0 probe=0 failure=0 last_failed=0
dns-server:10.1.1.12:53 tz=0 tls=0 req=1185865 to=69 res=1185796 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
Interface selecting method: auto
Specified interface: 
FortiGuard interface selecting method: auto
FortiGuard specified interface: 
DNS search domain: mts.local, mlab.local, 
DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000
DNS FD: udp_s=10 udp_c=22:23 ha_c=27 unix_s=11, unix_nb_s=28, unix_nc_s=12
v6_udp_s=9, v6_udp_c=25:26, snmp=29, redir=18, v6_redir=19
DNS FD: tcp_s=13, tcp_s6=14, redir=30 v6_redir=31
FGD_DNS_SERVICE_LICENSE:
FGD_CATEGORY_VERSION:8
SERVER_LDB: gid=cf6a, tz=60, error_allow=0
FGD_REDIR_V4:FGD_REDIR_V6:

FortiClient VPN stops at 48% with warning -7200

Nominate a Forum Post for Knowledge Article Creation