Hy @ all,
I am dealing with a stupid problem on forticlient. I have 2 PCs, both are running the same forticlient version (7.2.3). One pc is located in austria and one pc is located in china. Both PCs have the same config-file. The firewall is located in china.
the clients gets authenticated over ldap integrated certificate authentication.
The Fortigate is an 80F, with Firmware 7.2.8
When i connect the forticlient from the pc, which is located in austria, it works fine but when i do the same thing from the pc, which is located in china, the connection fails.
This is the debug applicaton output from the pc from austria:
fg1-nan2 # diagnose debug application sslvpn -1
Debug messages will be on for 30 minutes.
fg1-nan2 # diagnose debug application fnbamd -1
Debug messages will be on for 30 minutes.
fg1-nan2 # diagnose debug console timestamp enable
fg1-nan2 # diagnose debug enable
fg1-nan2 # 2024-07-11 13:00:05 [208] __fnbamd_remote_ca_refresh-
2024-07-11 13:00:09 [281:root:a4b]allocSSLConn:310 sconn 0x7faf56d000 (0:root)
2024-07-11 13:00:09 [281:root:a4b]SSL state:before SSL initialization (213.162.73.14)
2024-07-11 13:00:09 [281:root:a4b]SSL state:fatal decode error (213.162.73.14)
2024-07-11 13:00:09 [281:root:a4b]SSL state:error:(null)(213.162.73.14)
2024-07-11 13:00:09 [281:root:a4b]SSL_accept failed, 1:unexpected eof while reading
2024-07-11 13:00:09 [281:root:a4b]Destroy sconn 0x7faf56d000, connSize=0. (root)
2024-07-11 13:00:10 [275:root:a4a]allocSSLConn:310 sconn 0x7fb0455800 (0:root)
2024-07-11 13:00:10 [275:root:a4a]SSL state:before SSL initialization (213.162.73.14)
2024-07-11 13:00:10 [275:root:a4a]SSL state:before SSL initialization (213.162.73.14)
2024-07-11 13:00:10 [275:root:a4a]got SNI server name: computervpn-cn.stiwa.com realm computervpn-cn
2024-07-11 13:00:10 [275:root:a4a]client cert requirement: yes
2024-07-11 13:00:10 [275:root:a4a]SSL state:SSLv3/TLS read client hello (213.162.73.14)
2024-07-11 13:00:10 [275:root:a4a]SSL state:SSLv3/TLS write server hello (213.162.73.14)
2024-07-11 13:00:10 [275:root:a4a]SSL state:SSLv3/TLS write certificate (213.162.73.14)
2024-07-11 13:00:10 [275:root:a4a]SSL state:SSLv3/TLS write key exchange (213.162.73.14)
2024-07-11 13:00:10 [275:root:a4a]SSL state:SSLv3/TLS write certificate request (213.162.73.14)
2024-07-11 13:00:10 [275:root:a4a]SSL state:SSLv3/TLS write server done (213.162.73.14)
2024-07-11 13:00:10 [275:root:a4a]SSL state:SSLv3/TLS write server done:(null)(213.162.73.14)
2024-07-11 13:00:11 [275:root:a4a]SSL state:SSLv3/TLS write server done (213.162.73.14)
2024-07-11 13:00:11 [275:root:a4a]SSL state:SSLv3/TLS read client certificate (213.162.73.14)
2024-07-11 13:00:11 [275:root:a4a]SSL state:SSLv3/TLS read client key exchange (213.162.73.14)
2024-07-11 13:00:11 [275:root:a4a]SSL state:SSLv3/TLS read certificate verify (213.162.73.14)
2024-07-11 13:00:11 [275:root:a4a]SSL state:SSLv3/TLS read change cipher spec (213.162.73.14)
2024-07-11 13:00:11 [275:root:a4a]SSL state:SSLv3/TLS read finished (213.162.73.14)
2024-07-11 13:00:11 [275:root:a4a]SSL state:SSLv3/TLS write session ticket (213.162.73.14)
2024-07-11 13:00:11 [275:root:a4a]SSL state:SSLv3/TLS write change cipher spec (213.162.73.14)
2024-07-11 13:00:11 [275:root:a4a]SSL state:SSLv3/TLS write finished (213.162.73.14)
2024-07-11 13:00:11 [275:root:a4a]SSL state:SSL negotiation finished successfully (213.162.73.14)
2024-07-11 13:00:11 [275:root:a4a]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
2024-07-11 13:00:11 [275:root:a4a]req: /remote/info
2024-07-11 13:00:11 [275:root:a4a]capability flags: 0x1ddf
2024-07-11 13:00:11 [275:root:a4a]req: /remote/login
2024-07-11 13:00:11 [275:root:a4a]rmt_web_auth_info_parser_common:524 no session id in auth info
2024-07-11 13:00:11 [275:root:a4a]rmt_web_get_access_cache:873 invalid cache, ret=4103
2024-07-11 13:00:11 [275:root:a4a]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
2024-07-11 13:00:11 [275:root:a4a]Got EMS SN: FCTEMS8823000443, EMS Tenant ID: 00000000000000000000000000000000
2024-07-11 13:00:11 [275:root:0]sslvpn_test_cert_rule:1153 realm: computervpn-cn vhost: computervpn-cn.stiwa.com vhost_only: (0).
2024-07-11 13:00:11 [275:root:0]sslvpn_test_auth_cert_rule:159 vd_src_intf_matched: 1, match_realm: 1, vhost-only: 0.
2024-07-11 13:00:11 [275:root:a4a]sslvpn_auth_check_usrgroup:3049 forming user/group list from policy.
2024-07-11 13:00:11 [275:root:a4a]sslvpn_auth_check_usrgroup:3096 got user (0) group (0:1).
2024-07-11 13:00:11 [275:root:a4a]sslvpn_validate_user_group_list:1939 validating with SSL VPN authentication rules (1), realm (computervpn-cn).
2024-07-11 13:00:11 [275:root:a4a]sslvpn_validate_user_group_list:2033 checking rule 1 cipher.
2024-07-11 13:00:11 [275:root:a4a]sslvpn_validate_user_group_list:2041 checking rule 1 realm.
2024-07-11 13:00:11 [275:root:a4a]sslvpn_validate_user_group_list:2052 checking rule 1 source intf.
2024-07-11 13:00:11 [275:root:a4a]sslvpn_validate_user_group_list:2091 checking rule 1 vd source intf.
2024-07-11 13:00:11 [275:root:a4a]sslvpn_validate_user_group_list:2590 rule 1 done, got user (0:0) group (0:0) peer group (1).
2024-07-11 13:00:11 [275:root:a4a]sslvpn_validate_user_group_list:2598 got user (0:0) group (0:0) peer group (1).
2024-07-11 13:00:11 [275:root:a4a]sslvpn_validate_user_group_list:2945 got user (0:0), group (0:0) peer group (1).
2024-07-11 13:00:11 [275:root:a4a]fam_cert_send_req:1174 peer group 'computervpn_cn' is sent for verification.
2024-07-11 13:00:11 [275:root:a4a]fam_cert_send_req:1180 doing authentication for 1 group(s).
2024-07-11 13:00:11 [2487] handle_req-Rcvd auth_cert req id=40364424, len=1144, opt=0
2024-07-11 13:00:11 [983] __cert_auth_ctx_init-req_id=40364424, opt=0
2024-07-11 13:00:11 [103] __cert_chg_st- 'Init'
2024-07-11 13:00:11 [156] fnbamd_cert_load_certs_from_req-1 cert(s) in req.
2024-07-11 13:00:11 [669] __cert_init-req_id=40364424
2024-07-11 13:00:11 [718] __cert_build_chain-req_id=40364424
2024-07-11 13:00:11 [273] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
2024-07-11 13:00:11 [291] fnbamd_chain_build-Following depth 0
2024-07-11 13:00:11 [326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CA_Cert_1')
2024-07-11 13:00:11 [291] fnbamd_chain_build-Following depth 1
2024-07-11 13:00:11 [305] fnbamd_chain_build-Self-sign detected.
2024-07-11 13:00:11 [99] __cert_chg_st- 'Init' -> 'Validation'
2024-07-11 13:00:11 [840] __cert_verify-req_id=40364424
2024-07-11 13:00:11 [841] __cert_verify-Chain is complete.
2024-07-11 13:00:11 [486] fnbamd_cert_verify-Chain number:2
2024-07-11 13:00:11 [500] fnbamd_cert_verify-Following cert chain depth 0
2024-07-11 13:00:11 [573] fnbamd_cert_verify-Issuer found: CA_Cert_1 (SSL_DPI opt 1)
2024-07-11 13:00:11 [500] fnbamd_cert_verify-Following cert chain depth 1
2024-07-11 13:00:11 [675] fnbamd_cert_check_group_list-checking group with name 'computervpn_cn'
2024-07-11 13:00:11 [490] __check_add_peer-check 'computer_cn'
2024-07-11 13:00:11 [366] peer_subject_cn_check-Cert subject 'CN = NBATT1ITSB1.stiwa.com'
2024-07-11 13:00:11 [77] fnbamd_peer_ldap_push-Check LDAP setting of peer user 'computer_cn'
2024-07-11 13:00:11 [237] fnbamd_peer_remote_server_push-Adding 5 matching rules to 'VPN_COMPUTER_CN'
2024-07-11 13:00:11 [497] __check_add_peer-'computer_cn' check ret:pending
2024-07-11 13:00:11 [490] __check_add_peer-check 'VPN_COMPUTER_CN'
2024-07-11 13:00:11 [492] __check_add_peer-'VPN_COMPUTER_CN' is not a peer user.
2024-07-11 13:00:11 [709] fnbamd_cert_check_group_list-LDAP servers
2024-07-11 13:00:11 [712] fnbamd_cert_check_group_list- 'VPN_COMPUTER_CN', (Principle-Name), ref=2
2024-07-11 13:00:11 [191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
2024-07-11 13:00:11 [738] fnbamd_cert_check_group_list-Peer users
2024-07-11 13:00:11 [741] fnbamd_cert_check_group_list- 'computer_cn' ('VPN_COMPUTER_CN','N/A')
2024-07-11 13:00:11 [876] __cert_verify_do_next-req_id=40364424
2024-07-11 13:00:11 [99] __cert_chg_st- 'Validation' -> 'Status-Query'
2024-07-11 13:00:11 [623] __cert_status_query-req_id=40364424
2024-07-11 13:00:11 [419] __cert_ldap_query-req_id=40364424
2024-07-11 13:00:11 [426] __cert_ldap_query-LDAP query, idx 0
2024-07-11 13:00:11 [448] __cert_ldap_query-UPN = 'NBATT1ITSB1$@stiwa.com'
2024-07-11 13:00:11 [1718] fnbamd_ldap_init-search filter is: (&(sAMAccountName=NBATT1ITSB1$)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
2024-07-11 13:00:11 [1728] fnbamd_ldap_init-search base is: DC=stiwa,DC=com
2024-07-11 13:00:11 [1150] __fnbamd_ldap_dns_cb-Resolved VPN_COMPUTER_CN:10.170.2.40 to 10.170.2.40, cur stack size:1
2024-07-11 13:00:11 [925] __fnbamd_ldap_get_next_addr-
2024-07-11 13:00:11 [1155] __fnbamd_ldap_dns_cb-Connection starts VPN_COMPUTER_CN:10.170.2.40, addr 10.170.2.40 over SSL
2024-07-11 13:00:11 [880] __fnbamd_ldap_start_conn-Still connecting 10.170.2.40.
2024-07-11 13:00:11 [543] __cert_ocsp_query-req_id=40364424
2024-07-11 13:00:11 [551] __cert_ocsp_query-Nothing to do.
2024-07-11 13:00:11 [953] __fnbamd_cert_auth_run-Job pending, exit the state machine, req_id=40364424
2024-07-11 13:00:11 [1691] create_auth_cert_session-fnbamd_cert_auth_init returns 4, id=40364424
2024-07-11 13:00:12 [1108] __ldap_connect-tcps_connect(10.170.2.40) is established.
2024-07-11 13:00:12 [986] __ldap_rxtx-state 3(Admin Binding)
2024-07-11 13:00:12 [363] __ldap_build_bind_req-Binding to 'fortigate-service@stiwa.com'
2024-07-11 13:00:12 [1083] fnbamd_ldap_send-sending 53 bytes to 10.170.2.40
2024-07-11 13:00:12 [1096] fnbamd_ldap_send-Request is sent. ID 1
2024-07-11 13:00:12 [986] __ldap_rxtx-state 4(Admin Bind resp)
2024-07-11 13:00:12 [1127] __fnbamd_ldap_read-Read 8
2024-07-11 13:00:12 [1233] fnbamd_ldap_recv-Leftover 2
2024-07-11 13:00:12 [1127] __fnbamd_ldap_read-Read 14
2024-07-11 13:00:12 [1306] fnbamd_ldap_recv-Response len: 16, svr: 10.170.2.40
2024-07-11 13:00:12 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
2024-07-11 13:00:12 [1023] fnbamd_ldap_parse_response-ret=0
2024-07-11 13:00:12 [1053] __ldap_rxtx-Change state to 'DN search'
2024-07-11 13:00:12 [986] __ldap_rxtx-state 11(DN search)
2024-07-11 13:00:12 [750] fnbamd_ldap_build_dn_search_req-base:'DC=stiwa,DC=com' filter:(&(sAMAccountName=NBATT1ITSB1$)(!(UserAccountControl:1.2.840.113556.1.4.803:=2
)))
2024-07-11 13:00:12 [1083] fnbamd_ldap_send-sending 132 bytes to 10.170.2.40
2024-07-11 13:00:12 [1096] fnbamd_ldap_send-Request is sent. ID 2
2024-07-11 13:00:12 [986] __ldap_rxtx-state 12(DN search resp)
2024-07-11 13:00:12 [1127] __fnbamd_ldap_read-Read 8
2024-07-11 13:00:12 [1233] fnbamd_ldap_recv-Leftover 2
2024-07-11 13:00:12 [1127] __fnbamd_ldap_read-Read 72
2024-07-11 13:00:12 [1306] fnbamd_ldap_recv-Response len: 74, svr: 10.170.2.40
2024-07-11 13:00:12 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-entry
2024-07-11 13:00:12 [1023] fnbamd_ldap_parse_response-ret=0
2024-07-11 13:00:12 [1226] __fnbamd_ldap_dn_entry-Get DN 'CN=NBATT1ITSB1,OU=Computers,OU=Verwaltung,DC=stiwa,DC=com'
2024-07-11 13:00:12 [1127] __fnbamd_ldap_read-Read 8
2024-07-11 13:00:12 [1233] fnbamd_ldap_recv-Leftover 2
2024-07-11 13:00:12 [1127] __fnbamd_ldap_read-Read 14
2024-07-11 13:00:12 [1306] fnbamd_ldap_recv-Response len: 16, svr: 10.170.2.40
2024-07-11 13:00:12 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result
2024-07-11 13:00:12 [1023] fnbamd_ldap_parse_response-ret=0
2024-07-11 13:00:12 [1053] __ldap_rxtx-Change state to 'Attr query'
2024-07-11 13:00:12 [986] __ldap_rxtx-state 7(Attr query)
2024-07-11 13:00:12 [649] fnbamd_ldap_build_attr_search_req-Adding attr 'memberOf'
2024-07-11 13:00:12 [661] fnbamd_ldap_build_attr_search_req-base:'CN=NBATT1ITSB1,OU=Computers,OU=Verwaltung,DC=stiwa,DC=com' filter:cn=*
2024-07-11 13:00:12 [1083] fnbamd_ldap_send-sending 134 bytes to 10.170.2.40
2024-07-11 13:00:12 [1096] fnbamd_ldap_send-Request is sent. ID 3
2024-07-11 13:00:12 [986] __ldap_rxtx-state 8(Attr query resp)
2024-07-11 13:00:12 [1127] __fnbamd_ldap_read-Read 8
2024-07-11 13:00:12 [1233] fnbamd_ldap_recv-Leftover 2
2024-07-11 13:00:12 [1127] __fnbamd_ldap_read-Read 573
2024-07-11 13:00:12 [1306] fnbamd_ldap_recv-Response len: 575, svr: 10.170.2.40
2024-07-11 13:00:12 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:search-entry
2024-07-11 13:00:12 [1023] fnbamd_ldap_parse_response-ret=0
2024-07-11 13:00:12 [556] __get_member_of_groups-Get the memberOf groups.
2024-07-11 13:00:12 [522] __retrieve_group_values-Get the memberOf groups.
2024-07-11 13:00:12 [532] __retrieve_group_values- attr='memberOf', found 5 values
2024-07-11 13:00:12 [542] __retrieve_group_values-val[0]='CN=FortiEMS_Computer,OU=Apps,OU=Gruppen,OU=Verwaltung,DC=de,DC=stiwa,DC=com'
2024-07-11 13:00:12 [542] __retrieve_group_values-val[1]='CN=FortiEMS_Computer,OU=Apps,OU=Gruppen,OU=Verwaltung,DC=cn,DC=stiwa,DC=com'
2024-07-11 13:00:12 [542] __retrieve_group_values-val[2]='CN=FortiEMS_Computer,OU=Apps,OU=Gruppen,OU=Verwaltung,DC=stiwa,DC=com'
2024-07-11 13:00:12 [542] __retrieve_group_values-val[3]='CN=Temp_FortiEMS_Computer_Test_Deployment,OU=Temp,OU=Gruppen,OU=Verwaltung,DC=stiwa,DC=com'
2024-07-11 13:00:12 [542] __retrieve_group_values-val[4]='CN=Temp_FortiEMS_Computer,OU=Temp,OU=Gruppen,OU=Verwaltung,DC=stiwa,DC=com'
2024-07-11 13:00:12 [1127] __fnbamd_ldap_read-Read 8
2024-07-11 13:00:12 [1233] fnbamd_ldap_recv-Leftover 2
2024-07-11 13:00:12 [1127] __fnbamd_ldap_read-Read 14
2024-07-11 13:00:12 [1306] fnbamd_ldap_recv-Response len: 16, svr: 10.170.2.40
2024-07-11 13:00:12 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:search-result
2024-07-11 13:00:12 [1023] fnbamd_ldap_parse_response-ret=0
2024-07-11 13:00:12 [1306] __fnbamd_ldap_attr_next-Entering CHKPRIMARYGRP state
2024-07-11 13:00:12 [1053] __ldap_rxtx-Change state to 'Primary group query'
2024-07-11 13:00:12 [986] __ldap_rxtx-state 13(Primary group query)
2024-07-11 13:00:12 [685] fnbamd_ldap_build_primary_grp_search_req-starting primary group check...
2024-07-11 13:00:12 [689] fnbamd_ldap_build_primary_grp_search_req-number of sub auths 5
2024-07-11 13:00:12 [707] fnbamd_ldap_build_primary_grp_search_req-base:'DC=stiwa,DC=com' filter:(&(objectclass=group)(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\
76\44\3c\7c\4e\45\73\27\60\29\17\3c\03\02\00\00))
2024-07-11 13:00:12 [1083] fnbamd_ldap_send-sending 119 bytes to 10.170.2.40
2024-07-11 13:00:12 [1096] fnbamd_ldap_send-Request is sent. ID 4
2024-07-11 13:00:12 [986] __ldap_rxtx-state 14(Primary group query resp)
2024-07-11 13:00:12 [1127] __fnbamd_ldap_read-Read 8
2024-07-11 13:00:12 [1233] fnbamd_ldap_recv-Leftover 2
2024-07-11 13:00:12 [1127] __fnbamd_ldap_read-Read 112
2024-07-11 13:00:12 [1306] fnbamd_ldap_recv-Response len: 114, svr: 10.170.2.40
2024-07-11 13:00:12 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-entry
2024-07-11 13:00:12 [1023] fnbamd_ldap_parse_response-ret=0
2024-07-11 13:00:12 [472] __get_one_group-group: CN=Domain Computers,CN=Users,DC=stiwa,DC=com
2024-07-11 13:00:12 [1127] __fnbamd_ldap_read-Read 8
2024-07-11 13:00:12 [1233] fnbamd_ldap_recv-Leftover 2
2024-07-11 13:00:12 [1127] __fnbamd_ldap_read-Read 14
2024-07-11 13:00:12 [1306] fnbamd_ldap_recv-Response len: 16, svr: 10.170.2.40
2024-07-11 13:00:12 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-result
2024-07-11 13:00:12 [1023] fnbamd_ldap_parse_response-ret=0
2024-07-11 13:00:12 [1431] __fnbamd_ldap_primary_grp_next-Auth accepted
2024-07-11 13:00:12 [1053] __ldap_rxtx-Change state to 'Done'
2024-07-11 13:00:12 [986] __ldap_rxtx-state 23(Done)
2024-07-11 13:00:12 [1083] fnbamd_ldap_send-sending 7 bytes to 10.170.2.40
2024-07-11 13:00:12 [1096] fnbamd_ldap_send-Request is sent. ID 5
2024-07-11 13:00:12 [785] __ldap_done-svr 'VPN_COMPUTER_CN'
2024-07-11 13:00:12 [755] __ldap_destroy-
2024-07-11 13:00:12 [724] __ldap_stop-Conn with 10.170.2.40 destroyed.
2024-07-11 13:00:12 [377] __cert_ldap_query_cb-LDAP ret=0, server='VPN_COMPUTER_CN', req_id=40364424
2024-07-11 13:00:12 [388] __cert_ldap_query_cb-Matched peer 'computer_cn'
2024-07-11 13:00:12 [755] __ldap_destroy-
2024-07-11 13:00:12 [271] __cert_resume-req_id=40364424
2024-07-11 13:00:12 [99] __cert_chg_st- 'Status-Query' -> 'Done'
2024-07-11 13:00:12 [921] __cert_done-req_id=40364424
2024-07-11 13:00:12 [1654] fnbamd_auth_session_done-Session done, id=40364424
2024-07-11 13:00:12 [966] __fnbamd_cert_auth_run-Exit, req_id=40364424
2024-07-11 13:00:12 [1645] __auth_cert_session_done-id=40364424
2024-07-11 13:00:12 [1610] auth_cert_success-id=40364424
2024-07-11 13:00:12 [1068] fnbamd_cert_auth_copy_cert_status-req_id=40364424
2024-07-11 13:00:12 [1076] fnbamd_cert_auth_copy_cert_status-Matched peer user 'computer_cn'
2024-07-11 13:00:12 [833] fnbamd_cert_check_matched_groups-checking group with name 'computervpn_cn'
2024-07-11 13:00:12 [121] fnbamd_ldap_dn_match-DN 'CN=FortiEMS_Computer,OU=Apps,OU=Gruppen,OU=Verwaltung,DC=cn,DC=stiwa,DC=com' is matched with 'CN=FortiEMS_Computer,
OU=Apps,OU=Gruppen,OU=Verwaltung,DC=cn,DC=stiwa,DC=com', idx=1.
2024-07-11 13:00:12 [895] fnbamd_cert_check_matched_groups-matched
2024-07-11 13:00:12 [1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
2024-07-11 13:00:12 [1195] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=40364424
2024-07-11 13:00:12 [209] fnbamd_comm_send_result-Sending result 0 (nid 672) for req 40364424, len=2552
2024-07-11 13:00:12 [1555] destroy_auth_cert_session-id=40364424
2024-07-11 13:00:12 [1041] fnbamd_cert_auth_uninit-req_id=40364424
2024-07-11 13:00:12 [755] __ldap_destroy-
2024-07-11 13:00:12 [275:root:a4a]2024-07-11 13:00:12 [131] fnbamd_peer_ctx_free-Freeing peer ctx 'computer_cn'
[fam_cert_proc_resp:1978] Authenticated groups (1) by FNBAM with auth_type (0):
2024-07-11 13:00:12 [1764] fnbamd_ldap_auth_ctx_free-Freeing 'VPN_COMPUTER_CN' ctx
2024-07-11 13:00:12 [275:root:a4a]fam_cert_proc_resp:1996 found node computervpn_cn:0:, valid:1, auth:0
2024-07-11 13:00:12 [275:root:a4a]auth_rsp_data.matched_cert_grps[0] = computervpn_cn
2024-07-11 13:00:12 [275:root:a4a]fam_cert_proc_resp:2027 match rule (1), user (computer_cn:computervpn_cn) portal (computer_CN).
2024-07-11 13:00:12 [275:root:a4a]peer user 'computer_cn' uses LDAP server 'VPN_COMPUTER_CN' for 2FA.
2024-07-11 13:00:12 [275:root:a4a]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
2024-07-11 13:00:12 [275:root:0]get tunnel link address4
2024-07-11 13:00:12 [275:root:a4a]rmt_web_session_create:1029 create web session, idx[0]
2024-07-11 13:00:12 [275:root:a4a]rmt_hcinstall_cb_handler:210 enter
2024-07-11 13:00:12 [275:root:a4a]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
2024-07-11 13:00:12 [275:root:a4a]rmt_hcinstall_cb_handler:288 hostchk needed : 0.
2024-07-11 13:00:12 [275:root:a4a]deconstruct_session_id:505 decode session id ok, user=[computer_cn,cn=NBATT1ITSB1.stiwa.com], group=[computervpn_cn],authserver=[VPN
_COMPUTER_CN],portal=[computer_CN],host[213.162.73.14],realm=[computervpn-cn],csrf_token=[6FA04322F5E1EF52E8D8B04BF0483217],idx=0,auth=32,sid=31350690,login=172067401
2,access=1720674012,saml_logout_url=no,pip=no,grp_info=[EflCM1],rmt_grp_info=[]
2024-07-11 13:00:12 [275:root:a4a]deconstruct_session_id:505 decode session id ok, user=[computer_cn,cn=NBATT1ITSB1.stiwa.com], group=[computervpn_cn],authserver=[VPN
_COMPUTER_CN],portal=[computer_CN],host[213.162.73.14],realm=[computervpn-cn],csrf_token=[6FA04322F5E1EF52E8D8B04BF0483217],idx=0,auth=32,sid=31350690,login=172067401
2,access=1720674012,saml_logout_url=no,pip=no,grp_info=[EflCM1],rmt_grp_info=[]
2024-07-11 13:00:12 [275:root:a4a]deconstruct_session_id:505 decode session id ok, user=[computer_cn,cn=NBATT1ITSB1.stiwa.com], group=[computervpn_cn],authserver=[VPN
_COMPUTER_CN],portal=[computer_CN],host[213.162.73.14],realm=[computervpn-cn],csrf_token=[6FA04322F5E1EF52E8D8B04BF0483217],idx=0,auth=32,sid=31350690,login=172067401
2,access=1720674012,saml_logout_url=no,pip=no,grp_info=[EflCM1],rmt_grp_info=[]
2024-07-11 13:00:13 [275:root:a4a]req: /remote/logincheck
2024-07-11 13:00:13 [275:root:a4a]Transfer-Encoding n/a
2024-07-11 13:00:13 [275:root:a4a]Content-Length 141
2024-07-11 13:00:13 [275:root:a4a]readPostEnter:17 Post Data length 141.
2024-07-11 13:00:13 [275:root:a4a]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
2024-07-11 13:00:13 [275:root:a4a]deconstruct_session_id:505 decode session id ok, user=[computer_cn,cn=NBATT1ITSB1.stiwa.com], group=[computervpn_cn],authserver=[VPN
_COMPUTER_CN],portal=[computer_CN],host[213.162.73.14],realm=[computervpn-cn],csrf_token=[6FA04322F5E1EF52E8D8B04BF0483217],idx=0,auth=32,sid=31350690,login=172067401
2,access=1720674012,saml_logout_url=no,pip=no,grp_info=[EflCM1],rmt_grp_info=[]
2024-07-11 13:00:13 [275:root:a4a]req: /sslvpn/portal.html
2024-07-11 13:00:13 [275:root:a4a]mza: 0x30b3de0 /sslvpn/portal.html
2024-07-11 13:00:13 [275:root:a4a]deconstruct_session_id:505 decode session id ok, user=[computer_cn,cn=NBATT1ITSB1.stiwa.com], group=[computervpn_cn],authserver=[VPN
_COMPUTER_CN],portal=[computer_CN],host[213.162.73.14],realm=[computervpn-cn],csrf_token=[6FA04322F5E1EF52E8D8B04BF0483217],idx=0,auth=32,sid=31350690,login=172067401
2,access=1720674012,saml_logout_url=no,pip=no,grp_info=[EflCM1],rmt_grp_info=[]
2024-07-11 13:00:13 [275:root:a4a]req: /remote/fortisslvpn
2024-07-11 13:00:13 [275:root:a4a]deconstruct_session_id:505 decode session id ok, user=[computer_cn,cn=NBATT1ITSB1.stiwa.com], group=[computervpn_cn],authserver=[VPN
_COMPUTER_CN],portal=[computer_CN],host[213.162.73.14],realm=[computervpn-cn],csrf_token=[6FA04322F5E1EF52E8D8B04BF0483217],idx=0,auth=32,sid=31350690,login=172067401
2,access=1720674012,saml_logout_url=no,pip=no,grp_info=[EflCM1],rmt_grp_info=[]
2024-07-11 13:00:13 [275:root:a4a]deconstruct_session_id:505 decode session id ok, user=[computer_cn,cn=NBATT1ITSB1.stiwa.com], group=[computervpn_cn],authserver=[VPN
_COMPUTER_CN],portal=[computer_CN],host[213.162.73.14],realm=[computervpn-cn],csrf_token=[6FA04322F5E1EF52E8D8B04BF0483217],idx=0,auth=32,sid=31350690,login=172067401
2,access=1720674012,saml_logout_url=no,pip=no,grp_info=[EflCM1],rmt_grp_info=[]
2024-07-11 13:00:13 [275:root:a4a]Got EMS SN: FCTEMS8823000443, EMS Tenant ID: 00000000000000000000000000000000
2024-07-11 13:00:13 [275:root:a4a]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
2024-07-11 13:00:13 [275:root:a4a]req: /remote/fortisslvpn_xml
2024-07-11 13:00:13 [275:root:a4a]deconstruct_session_id:505 decode session id ok, user=[computer_cn,cn=NBATT1ITSB1.stiwa.com], group=[computervpn_cn],authserver=[VPN
_COMPUTER_CN],portal=[computer_CN],host[213.162.73.14],realm=[computervpn-cn],csrf_token=[6FA04322F5E1EF52E8D8B04BF0483217],idx=0,auth=32,sid=31350690,login=172067401
2,access=1720674012,saml_logout_url=no,pip=no,grp_info=[EflCM1],rmt_grp_info=[]
2024-07-11 13:00:13 [275:root:a4a]deconstruct_session_id:505 decode session id ok, user=[computer_cn,cn=NBATT1ITSB1.stiwa.com], group=[computervpn_cn],authserver=[VPN
_COMPUTER_CN],portal=[computer_CN],host[213.162.73.14],realm=[computervpn-cn],csrf_token=[6FA04322F5E1EF52E8D8B04BF0483217],idx=0,auth=32,sid=31350690,login=172067401
2,access=1720674012,saml_logout_url=no,pip=no,grp_info=[EflCM1],rmt_grp_info=[]
2024-07-11 13:00:13 [275:root:a4a]Got EMS SN: FCTEMS8823000443, EMS Tenant ID: 00000000000000000000000000000000
2024-07-11 13:00:13 [275:root:a4a]sslvpn_reserve_dynip:1544 tunnel vd[root] ip[10.191.228.1] app session idx[0]
2024-07-11 13:00:14 [276:root:a4d]allocSSLConn:310 sconn 0x7faf56c000 (0:root)
2024-07-11 13:00:14 [276:root:a4d]SSL state:before SSL initialization (213.162.73.14)
2024-07-11 13:00:14 [276:root:a4d]SSL state:before SSL initialization (213.162.73.14)
2024-07-11 13:00:14 [276:root:a4d]got SNI server name: computervpn-cn.stiwa.com realm computervpn-cn
2024-07-11 13:00:14 [276:root:a4d]client cert requirement: yes
2024-07-11 13:00:14 [276:root:a4d]SSL state:SSLv3/TLS read client hello (213.162.73.14)
2024-07-11 13:00:14 [276:root:a4d]SSL state:SSLv3/TLS write server hello (213.162.73.14)
2024-07-11 13:00:14 [276:root:a4d]SSL state:SSLv3/TLS write change cipher spec (213.162.73.14)
2024-07-11 13:00:14 [276:root:a4d]SSL state:TLSv1.3 early data (213.162.73.14)
2024-07-11 13:00:14 [276:root:a4d]SSL state:TLSv1.3 early data:(null)(213.162.73.14)
2024-07-11 13:00:15 [276:root:a4d]SSL state:TLSv1.3 early data (213.162.73.14)
2024-07-11 13:00:15 [276:root:a4d]got SNI server name: computervpn-cn.stiwa.com realm computervpn-cn
2024-07-11 13:00:15 [276:root:a4d]client cert requirement: yes
2024-07-11 13:00:15 [276:root:a4d]SSL state:SSLv3/TLS read client hello (213.162.73.14)
2024-07-11 13:00:15 [276:root:a4d]SSL state:SSLv3/TLS write server hello (213.162.73.14)
2024-07-11 13:00:15 [276:root:a4d]SSL state:TLSv1.3 write encrypted extensions (213.162.73.14)
2024-07-11 13:00:15 [276:root:a4d]SSL state:SSLv3/TLS write certificate request (213.162.73.14)
2024-07-11 13:00:15 [276:root:a4d]SSL state:SSLv3/TLS write certificate (213.162.73.14)
2024-07-11 13:00:15 [276:root:a4d]SSL state:TLSv1.3 write server certificate verify (213.162.73.14)
2024-07-11 13:00:15 [276:root:a4d]SSL state:SSLv3/TLS write finished (213.162.73.14)
2024-07-11 13:00:15 [276:root:a4d]SSL state:TLSv1.3 early data (213.162.73.14)
2024-07-11 13:00:15 [276:root:a4d]SSL state:TLSv1.3 early data:(null)(213.162.73.14)
2024-07-11 13:00:15 [276:root:a4d]SSL state:TLSv1.3 early data (213.162.73.14)
2024-07-11 13:00:15 [276:root:a4d]SSL state:SSLv3/TLS read client certificate (213.162.73.14)
2024-07-11 13:00:15 [276:root:a4d]SSL state:SSLv3/TLS read finished (213.162.73.14)
2024-07-11 13:00:15 [276:root:a4d]SSL state:SSLv3/TLS write session ticket (213.162.73.14)
2024-07-11 13:00:15 [276:root:a4d]SSL state:SSLv3/TLS write session ticket (213.162.73.14)
2024-07-11 13:00:15 [276:root:a4d]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
2024-07-11 13:00:15 [276:root:a4d]No client certificate
2024-07-11 13:00:15 [276:root:a4d]req: /remote/sslvpn-tunnel2?dns0=192.168.110.
2024-07-11 13:00:15 [276:root:a4d]sslvpn_tunnel2_handler,60, Calling rmt_conn_access_ex.
2024-07-11 13:00:15 [276:root:a4d]deconstruct_session_id:505 decode session id ok, user=[computer_cn,cn=NBATT1ITSB1.stiwa.com], group=[computervpn_cn],authserver=[VPN
_COMPUTER_CN],portal=[computer_CN],host[213.162.73.14],realm=[computervpn-cn],csrf_token=[6FA04322F5E1EF52E8D8B04BF0483217],idx=0,auth=32,sid=31350690,login=172067401
2,access=1720674012,saml_logout_url=no,pip=no,grp_info=[EflCM1],rmt_grp_info=[]
2024-07-11 13:00:15 [276:root:a4d]normal tunnel2 request received.
2024-07-11 13:00:15 [276:root:a4d]sslvpn_tunnel2_handler,171, fct_uuid = 566116E95E9D4C8FB774D22D0496A3AB
2024-07-11 13:00:15 [276:root:a4d]sslvpn_tunnel2_handler,179, Calling tunnel2 with hostname NBATT1ITSB1.
2024-07-11 13:00:15 [276:root:a4d]tunnel2_enter:1558 0x7faf56c000:0x7faf57e000 sslvpn user[computer_cn,cn=NBATT1ITSB1.stiwa.com],type 32,logintime 0 vd 0 vrf 0
2024-07-11 13:00:15 [276:root:a4d]tun dev (ssl.root) opened (28)
2024-07-11 13:00:15 [276:root:a4d]fsv_associate_fd_to_ipaddr:2335 associate 10.191.228.1 to tun (ssl.root:28)
2024-07-11 13:00:15 [276:root:a4d]proxy arp: scanning 35 interfaces for IP 10.191.228.1
2024-07-11 13:00:15 [276:root:a4d]no ethernet address for proxy ARP
2024-07-11 13:00:15 [276:root:a4d]sslvpn_user_match:1171 add user computer_cn in group computervpn_cn
2024-07-11 13:00:15 [276:root:a4d]Will add auth policy for policy 10294
2024-07-11 13:00:15 [276:root:a4d]sslvpn_user_match:1171 add user computer_cn in group computervpn_cn
2024-07-11 13:00:15 [276:root:a4d]Will add auth policy for policy 10293
2024-07-11 13:00:15 [276:root:a4d]sslvpn_user_match:1171 add user computer_cn in group computervpn_cn
2024-07-11 13:00:15 [276:root:a4d]Will add auth policy for policy 10292
2024-07-11 13:00:15 [276:root:a4d]sslvpn_user_match:1171 add user computer_cn in group computervpn_cn
2024-07-11 13:00:15 [276:root:a4d]Will add auth policy for policy 10291
2024-07-11 13:00:15 [276:root:a4d]sslvpn_user_match:1171 add user computer_cn in group computervpn_cn
2024-07-11 13:00:15 [276:root:a4d]Will add auth policy for policy 10290
2024-07-11 13:00:15 [276:root:a4d]sslvpn_user_match:1171 add user computer_cn in group computervpn_cn
2024-07-11 13:00:15 [276:root:a4d]Will add auth policy for policy 10289
2024-07-11 13:00:15 [276:root:a4d]sslvpn_user_match:1171 add user computer_cn in group computervpn_cn
2024-07-11 13:00:15 [276:root:a4d]Will add auth policy for policy 10288
2024-07-11 13:00:15 [276:root:a4d]sslvpn_user_match:1171 add user computer_cn in group computervpn_cn
2024-07-11 13:00:15 [276:root:a4d]Will add auth policy for policy 10287
2024-07-11 13:00:15 [276:root:a4d]sslvpn_user_match:1171 add user computer_cn in group computervpn_cn
2024-07-11 13:00:15 [276:root:a4d]Will add auth policy for policy 10286
2024-07-11 13:00:15 [276:root:a4d]sslvpn_user_match:1171 add user computer_cn in group computervpn_cn
2024-07-11 13:00:15 [276:root:a4d]Will add auth policy for policy 10284
2024-07-11 13:00:15 [276:root:a4d]Add auth logon for user computer_cn,cn=NBATT1ITSB1.stiwa.com:computervpn_cn, matched group number 1
2024-07-11 13:00:19 [2487] handle_req-Rcvd auth_cert req id=29319, len=1130, opt=0
2024-07-11 13:00:19 [983] __cert_auth_ctx_init-req_id=29319, opt=0
2024-07-11 13:00:19 [103] __cert_chg_st- 'Init'
2024-07-11 13:00:19 [156] fnbamd_cert_load_certs_from_req-1 cert(s) in req.
2024-07-11 13:00:19 [669] __cert_init-req_id=29319
2024-07-11 13:00:19 [718] __cert_build_chain-req_id=29319
2024-07-11 13:00:19 [273] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
2024-07-11 13:00:19 [291] fnbamd_chain_build-Following depth 0
2024-07-11 13:00:19 [320] fnbamd_chain_build-Extend chain by system trust store. (no luck)
2024-07-11 13:00:19 [162] __cert_prune-0 pruned.
2024-07-11 13:00:19 [677] __cert_init-req_id=29319
2024-07-11 13:00:19 [718] __cert_build_chain-req_id=29319
2024-07-11 13:00:19 [273] fnbamd_chain_build-Chain discovery, opt 0x17, cur total 1
2024-07-11 13:00:19 [291] fnbamd_chain_build-Following depth 0
2024-07-11 13:00:19 [320] fnbamd_chain_build-Extend chain by system trust store. (no luck)
2024-07-11 13:00:19 [352] fnbamd_chain_build-Extend chain by remote CA cache. (no luck)
2024-07-11 13:00:19 [690] __cert_init-Depth 0.
2024-07-11 13:00:19 [190] __fnbamd_CA_can_be_queried-Can CA be downloaded?0
2024-07-11 13:00:19 [99] __cert_chg_st- 'Init' -> 'Validation'
2024-07-11 13:00:19 [840] __cert_verify-req_id=29319
2024-07-11 13:00:19 [841] __cert_verify-Chain is not complete.
2024-07-11 13:00:19 [273] fnbamd_chain_build-Chain discovery, opt 0x7, cur total 1
2024-07-11 13:00:19 [291] fnbamd_chain_build-Following depth 0
2024-07-11 13:00:19 [320] fnbamd_chain_build-Extend chain by system trust store. (no luck)
2024-07-11 13:00:19 [352] fnbamd_chain_build-Extend chain by remote CA cache. (no luck)
2024-07-11 13:00:19 [486] fnbamd_cert_verify-Chain number:1
2024-07-11 13:00:19 [500] fnbamd_cert_verify-Following cert chain depth 0
2024-07-11 13:00:19 [689] fnbamd_cert_check_group_list-Will match any!
2024-07-11 13:00:19 [191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
2024-07-11 13:00:19 [876] __cert_verify_do_next-req_id=29319
2024-07-11 13:00:19 [99] __cert_chg_st- 'Validation' -> 'Done'
2024-07-11 13:00:19 [921] __cert_done-req_id=29319
2024-07-11 13:00:19 [1654] fnbamd_auth_session_done-Session done, id=29319
2024-07-11 13:00:19 [966] __fnbamd_cert_auth_run-Exit, req_id=29319
2024-07-11 13:00:19 [1691] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=29319
2024-07-11 13:00:19 [1610] auth_cert_success-id=29319
2024-07-11 13:00:19 [1068] fnbamd_cert_auth_copy_cert_status-req_id=29319
2024-07-11 13:00:19 [884] fnbamd_cert_check_matched_groups-checking group ANY
2024-07-11 13:00:19 [895] fnbamd_cert_check_matched_groups-matched
2024-07-11 13:00:19 [1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
2024-07-11 13:00:19 [1124] fnbamd_cert_auth_copy_cert_status-Issuer of cert depth 0 is not detected in CMDB.
2024-07-11 13:00:19 [1195] fnbamd_cert_auth_copy_cert_status-Cert st 4040, req_id=29319
2024-07-11 13:00:19 [209] fnbamd_comm_send_result-Sending result 0 (nid 672) for req 29319, len=2538
2024-07-11 13:00:19 [1555] destroy_auth_cert_session-id=29319
2024-07-11 13:00:19 [1041] fnbamd_cert_auth_uninit-req_id=29319
2024-07-11 13:00:20 [275:root:a4a]SSL state:fatal decode error (213.162.73.14)
2024-07-11 13:00:20 [275:root:0]ap_read,105, error=1, errno=0 ssl 0x7faf57c000 Success. error:0A000126:SSL routines::unexpected eof while reading
2024-07-11 13:00:20 [275:root:a4a]sslvpn_read_request_common,684, ret=-1 error=-1, sconn=0x7fb0455800.
2024-07-11 13:00:20 [275:root:a4a]Destroy sconn 0x7fb0455800, connSize=0. (root)
diagnose debug disable
fg1-nan2 #
and this is the output from the pc from china:
fg1-nan2 # diagnose debug application sslvpn -1
Debug messages will be on for 30 minutes.
fg1-nan2 # diagnose debug application fnbamd -1
Debug messages will be on for 30 minutes.
fg1-nan2 # diagnose debug console timestamp enable
fg1-nan2 # diagnose debug enable
fg1-nan2 # 2024-07-11 13:05:32 [281:root:a4e]allocSSLConn:310 sconn 0x7faf56d000 (0:root)
2024-07-11 13:05:32 [281:root:a4e]SSL state:before SSL initialization (180.98.9.73)
2024-07-11 13:05:32 [281:root:a4e]SSL state:fatal decode error (180.98.9.73)
2024-07-11 13:05:32 [281:root:a4e]SSL state:error:(null)(180.98.9.73)
2024-07-11 13:05:32 [281:root:a4e]SSL_accept failed, 1:unexpected eof while reading
2024-07-11 13:05:32 [281:root:a4e]Destroy sconn 0x7faf56d000, connSize=0. (root)
2024-07-11 13:05:32 [275:root:a4d]allocSSLConn:310 sconn 0x7fb0455800 (0:root)
2024-07-11 13:05:32 [275:root:a4d]SSL state:before SSL initialization (180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]SSL state:before SSL initialization (180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]got SNI server name: computervpn-cn.stiwa.com realm computervpn-cn
2024-07-11 13:05:32 [275:root:a4d]client cert requirement: yes
2024-07-11 13:05:32 [275:root:a4d]SSL state:SSLv3/TLS read client hello (180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]SSL state:SSLv3/TLS write server hello (180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]SSL state:SSLv3/TLS write change cipher spec (180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]SSL state:TLSv1.3 early data (180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]SSL state:TLSv1.3 early data:(null)(180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]SSL state:TLSv1.3 early data (180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]got SNI server name: computervpn-cn.stiwa.com realm computervpn-cn
2024-07-11 13:05:32 [275:root:a4d]client cert requirement: yes
2024-07-11 13:05:32 [275:root:a4d]SSL state:SSLv3/TLS read client hello (180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]SSL state:SSLv3/TLS write server hello (180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]SSL state:TLSv1.3 write encrypted extensions (180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]SSL state:SSLv3/TLS write certificate request (180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]SSL state:SSLv3/TLS write certificate (180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]SSL state:TLSv1.3 write server certificate verify (180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]SSL state:SSLv3/TLS write finished (180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]SSL state:TLSv1.3 early data (180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]SSL state:TLSv1.3 early data:(null)(180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]SSL state:TLSv1.3 early data:(null)(180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]SSL state:TLSv1.3 early data (180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]SSL state:SSLv3/TLS read client certificate (180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]SSL state:SSLv3/TLS read certificate verify (180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]SSL state:SSLv3/TLS read finished (180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]SSL state:SSLv3/TLS write session ticket (180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]SSL state:SSLv3/TLS write session ticket (180.98.9.73)
2024-07-11 13:05:32 [275:root:a4d]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
2024-07-11 13:05:52 [2487] handle_req-Rcvd auth_cert req id=28842, len=1130, opt=0
2024-07-11 13:05:52 [983] __cert_auth_ctx_init-req_id=28842, opt=0
2024-07-11 13:05:52 [103] __cert_chg_st- 'Init'
2024-07-11 13:05:52 [156] fnbamd_cert_load_certs_from_req-3 cert(s) in req.
2024-07-11 13:05:52 [669] __cert_init-req_id=28842
2024-07-11 13:05:52 [718] __cert_build_chain-req_id=28842
2024-07-11 13:05:52 [273] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
2024-07-11 13:05:52 [291] fnbamd_chain_build-Following depth 0
2024-07-11 13:05:52 [320] fnbamd_chain_build-Extend chain by system trust store. (no luck)
2024-07-11 13:05:52 [374] fnbamd_chain_build-Extend chain by peer-provided certs. (good)
2024-07-11 13:05:52 [291] fnbamd_chain_build-Following depth 1
2024-07-11 13:05:52 [326] fnbamd_chain_build-Extend chain by system trust store. (good: 'CFCA_EV_ROOT')
2024-07-11 13:05:52 [291] fnbamd_chain_build-Following depth 2
2024-07-11 13:05:52 [305] fnbamd_chain_build-Self-sign detected.
2024-07-11 13:05:52 [99] __cert_chg_st- 'Init' -> 'Validation'
2024-07-11 13:05:52 [840] __cert_verify-req_id=28842
2024-07-11 13:05:52 [841] __cert_verify-Chain is complete.
2024-07-11 13:05:52 [486] fnbamd_cert_verify-Chain number:3
2024-07-11 13:05:52 [500] fnbamd_cert_verify-Following cert chain depth 0
2024-07-11 13:05:52 [500] fnbamd_cert_verify-Following cert chain depth 1
2024-07-11 13:05:52 [573] fnbamd_cert_verify-Issuer found: CFCA_EV_ROOT (SSL_DPI opt 1)
2024-07-11 13:05:52 [500] fnbamd_cert_verify-Following cert chain depth 2
2024-07-11 13:05:52 [689] fnbamd_cert_check_group_list-Will match any!
2024-07-11 13:05:52 [191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
2024-07-11 13:05:52 [876] __cert_verify_do_next-req_id=28842
2024-07-11 13:05:52 [99] __cert_chg_st- 'Validation' -> 'Done'
2024-07-11 13:05:52 [921] __cert_done-req_id=28842
2024-07-11 13:05:52 [1654] fnbamd_auth_session_done-Session done, id=28842
2024-07-11 13:05:52 [966] __fnbamd_cert_auth_run-Exit, req_id=28842
2024-07-11 13:05:52 [1691] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=28842
2024-07-11 13:05:52 [1610] auth_cert_success-id=28842
2024-07-11 13:05:52 [1068] fnbamd_cert_auth_copy_cert_status-req_id=28842
2024-07-11 13:05:52 [884] fnbamd_cert_check_matched_groups-checking group ANY
2024-07-11 13:05:52 [895] fnbamd_cert_check_matched_groups-matched
2024-07-11 13:05:52 [1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
2024-07-11 13:05:52 [1124] fnbamd_cert_auth_copy_cert_status-Issuer of cert depth 0 is not detected in CMDB.
2024-07-11 13:05:52 [1195] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=28842
2024-07-11 13:05:52 [209] fnbamd_comm_send_result-Sending result 0 (nid 672) for req 28842, len=2538
2024-07-11 13:05:52 [1555] destroy_auth_cert_session-id=28842
2024-07-11 13:05:52 [1041] fnbamd_cert_auth_uninit-req_id=28842
2024-07-11 13:05:53 [2487] handle_req-Rcvd auth_cert req id=29277, len=1130, opt=0
2024-07-11 13:05:53 [983] __cert_auth_ctx_init-req_id=29277, opt=0
2024-07-11 13:05:53 [103] __cert_chg_st- 'Init'
2024-07-11 13:05:53 [156] fnbamd_cert_load_certs_from_req-3 cert(s) in req.
2024-07-11 13:05:53 [669] __cert_init-req_id=29277
2024-07-11 13:05:53 [718] __cert_build_chain-req_id=29277
2024-07-11 13:05:53 [273] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
2024-07-11 13:05:53 [291] fnbamd_chain_build-Following depth 0
2024-07-11 13:05:53 [320] fnbamd_chain_build-Extend chain by system trust store. (no luck)
2024-07-11 13:05:53 [374] fnbamd_chain_build-Extend chain by peer-provided certs. (good)
2024-07-11 13:05:53 [291] fnbamd_chain_build-Following depth 1
2024-07-11 13:05:53 [326] fnbamd_chain_build-Extend chain by system trust store. (good: 'DigiCert_Global_Root_CA')
2024-07-11 13:05:53 [291] fnbamd_chain_build-Following depth 2
2024-07-11 13:05:53 [305] fnbamd_chain_build-Self-sign detected.
2024-07-11 13:05:53 [99] __cert_chg_st- 'Init' -> 'Validation'
2024-07-11 13:05:53 [840] __cert_verify-req_id=29277
2024-07-11 13:05:53 [841] __cert_verify-Chain is complete.
2024-07-11 13:05:53 [486] fnbamd_cert_verify-Chain number:3
2024-07-11 13:05:53 [500] fnbamd_cert_verify-Following cert chain depth 0
2024-07-11 13:05:53 [500] fnbamd_cert_verify-Following cert chain depth 1
2024-07-11 13:05:53 [573] fnbamd_cert_verify-Issuer found: DigiCert_Global_Root_CA (SSL_DPI opt 1)
2024-07-11 13:05:53 [500] fnbamd_cert_verify-Following cert chain depth 2
2024-07-11 13:05:53 [689] fnbamd_cert_check_group_list-Will match any!
2024-07-11 13:05:53 [191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
2024-07-11 13:05:53 [876] __cert_verify_do_next-req_id=29277
2024-07-11 13:05:53 [99] __cert_chg_st- 'Validation' -> 'Done'
2024-07-11 13:05:53 [921] __cert_done-req_id=29277
2024-07-11 13:05:53 [1654] fnbamd_auth_session_done-Session done, id=29277
2024-07-11 13:05:53 [966] __fnbamd_cert_auth_run-Exit, req_id=29277
2024-07-11 13:05:53 [1691] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=29277
2024-07-11 13:05:53 [1610] auth_cert_success-id=29277
2024-07-11 13:05:53 [1068] fnbamd_cert_auth_copy_cert_status-req_id=29277
2024-07-11 13:05:53 [884] fnbamd_cert_check_matched_groups-checking group ANY
2024-07-11 13:05:53 [895] fnbamd_cert_check_matched_groups-matched
2024-07-11 13:05:53 [1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
2024-07-11 13:05:53 [1124] fnbamd_cert_auth_copy_cert_status-Issuer of cert depth 0 is not detected in CMDB.
2024-07-11 13:05:53 [1195] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=29277
2024-07-11 13:05:53 [209] fnbamd_comm_send_result-Sending result 0 (nid 672) for req 29277, len=2538
2024-07-11 13:05:53 [1555] destroy_auth_cert_session-id=29277
2024-07-11 13:05:53 [1041] fnbamd_cert_auth_uninit-req_id=29277
2024-07-11 13:05:53 [275:root:a4d]Timeout for connection 0x7fb0455800.
2024-07-11 13:05:53 [275:root:a4d]Destroy sconn 0x7fb0455800, connSize=0. (root)
2024-07-11 13:05:53 [275:root:a4d]SSL state:warning close notify (180.98.9.73)
2024-07-11 13:06:31 [2487] handle_req-Rcvd auth_cert req id=29430, len=1130, opt=0
2024-07-11 13:06:31 [983] __cert_auth_ctx_init-req_id=29430, opt=0
2024-07-11 13:06:31 [103] __cert_chg_st- 'Init'
2024-07-11 13:06:31 [156] fnbamd_cert_load_certs_from_req-2 cert(s) in req.
2024-07-11 13:06:31 [669] __cert_init-req_id=29430
2024-07-11 13:06:31 [718] __cert_build_chain-req_id=29430
2024-07-11 13:06:31 [273] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
2024-07-11 13:06:31 [291] fnbamd_chain_build-Following depth 0
2024-07-11 13:06:31 [320] fnbamd_chain_build-Extend chain by system trust store. (no luck)
2024-07-11 13:06:31 [374] fnbamd_chain_build-Extend chain by peer-provided certs. (good)
2024-07-11 13:06:31 [291] fnbamd_chain_build-Following depth 1
2024-07-11 13:06:31 [326] fnbamd_chain_build-Extend chain by system trust store. (good: 'DigiCert_Global_Root_CA')
2024-07-11 13:06:31 [291] fnbamd_chain_build-Following depth 2
2024-07-11 13:06:31 [305] fnbamd_chain_build-Self-sign detected.
2024-07-11 13:06:31 [99] __cert_chg_st- 'Init' -> 'Validation'
2024-07-11 13:06:31 [840] __cert_verify-req_id=29430
2024-07-11 13:06:31 [841] __cert_verify-Chain is complete.
2024-07-11 13:06:31 [486] fnbamd_cert_verify-Chain number:3
2024-07-11 13:06:31 [500] fnbamd_cert_verify-Following cert chain depth 0
2024-07-11 13:06:31 [500] fnbamd_cert_verify-Following cert chain depth 1
2024-07-11 13:06:31 [573] fnbamd_cert_verify-Issuer found: DigiCert_Global_Root_CA (SSL_DPI opt 1)
2024-07-11 13:06:31 [500] fnbamd_cert_verify-Following cert chain depth 2
2024-07-11 13:06:31 [689] fnbamd_cert_check_group_list-Will match any!
2024-07-11 13:06:31 [191] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
2024-07-11 13:06:31 [876] __cert_verify_do_next-req_id=29430
2024-07-11 13:06:31 [99] __cert_chg_st- 'Validation' -> 'Done'
2024-07-11 13:06:31 [921] __cert_done-req_id=29430
2024-07-11 13:06:31 [1654] fnbamd_auth_session_done-Session done, id=29430
2024-07-11 13:06:31 [966] __fnbamd_cert_auth_run-Exit, req_id=29430
2024-07-11 13:06:31 [1691] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=29430
2024-07-11 13:06:31 [1610] auth_cert_success-id=29430
2024-07-11 13:06:31 [1068] fnbamd_cert_auth_copy_cert_status-req_id=29430
2024-07-11 13:06:32 [884] fnbamd_cert_check_matched_groups-checking group ANY
2024-07-11 13:06:32 [895] fnbamd_cert_check_matched_groups-matched
2024-07-11 13:06:32 [1107] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
2024-07-11 13:06:32 [1124] fnbamd_cert_auth_copy_cert_status-Issuer of cert depth 0 is not detected in CMDB.
2024-07-11 13:06:32 [1195] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=29430
2024-07-11 13:06:32 [209] fnbamd_comm_send_result-Sending result 0 (nid 672) for req 29430, len=2538
2024-07-11 13:06:32 [1555] destroy_auth_cert_session-id=29430
2024-07-11 13:06:32 [1041] fnbamd_cert_auth_uninit-req_id=29430
diagnose debug disable
fg1-nan2 #
i have no idea what is causing the problem. i have also deactivaed TLS 1.3 in the internetsettings but nothing changed.
Does anybody have any idea what is causing this problem?
thanks in advance
best regards
Christian
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hey Christian,
Does any error pop-up in the PC in China that cannot connect?
Quick question, by any chance is the PC in China Windows11?
Thanks!
Hy ezhupa,
no there is no pop-up which show any error. i have also moved the forticlient window, to see if it is hidden behind the main window.
Yes the client in china is Windows 11 . the client in austria is Windows 10.
Best regards
Christian
Hi @chri_s ,
You might find this thread useful:
Best regards,
Hello,
sorry for my late answer, we have tried severel Notebooks, with different OS (Windows 10 and 11), these also had different NIC Drivers.
After deep searching throught the forticlient log files, i found the error code 12057.
[2024-07-26 16:46:04.2759736 UTC+08:00] [2988:10784] [sslvpnlib 497 debug] FortiSslvpn: LogWininetError(12057) line:1664 msg:It was not possible to connect to the revocation server or a definitive response could not be obtained.
[2024-07-26 16:46:04.2770814 UTC+08:00] [2988:10784] [sslvpnlib 554 debug] FortiSslvpn: HttpSendRequest(): bRC=0, URL=/remote/info, Retry=0, LastError=12057
In the internet i found that you have to disable "Check for server certificate revocation" in the internet options. But nothing has changed.
best regards
chri_s
Trying installing this Visual Studio Redistributable: https://aka.ms/vs/17/release/vc_redist.x64.exe
The Forticlient VPN Application is trying to start fortitray.exe, but it needs a .dll file to work (mfc140u.dll) which is missing from Windows.
After installing and a reboot, your Forticlient VPN app should work again.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.