Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JeremyNV
New Contributor

Forticlient 20105 error

Have 2 IP addresses for SSLVPN portal, both worked just fine. Yesterday one of them started returning 20105 error on Forticlient when trying to log in. Ping is OK, port is open.
The error says: "Unable to establish VPN connction. VPN server may be unavailable (-20105)"


Where should I search for problems?

 

Debug logs:

Spoiler
[11999:SSLVPN:0]SND: LCP Echo_Reply id(189) len(8) [Magic_Number a9caa747]
[12002:SSLVPN:2db]allocSSLConn:289 sconn 0x7f645d05f500 (10:SSLVPN)
[12002:SSLVPN:2db]SSL state:before SSL initialization (*.*.*.123)
[12002:SSLVPN:2db]SSL state:before SSL initialization:DH lib(*.*.*.123)
[12002:SSLVPN:2db]SSL_accept failed, 5:(null)
[12002:SSLVPN:2db]Destroy sconn 0x7f645d05f500, connSize=7. (SSLVPN)
[11991:SSLVPN:2e0]allocSSLConn:289 sconn 0x7f645d2c2400 (10:SSLVPN)
[11991:SSLVPN:2e0]SSL state:before SSL initialization (*.*.*.123)
[11991:SSLVPN:2e0]SSL state:before SSL initialization (*.*.*.123)
[11991:SSLVPN:2e0]got SNI server name: cnt.-us.ru realm (null)
[11991:SSLVPN:2e0]client cert requirement: no
[11991:SSLVPN:2e0]SSL state:SSLv3/TLS read client hello (*.*.*.123)
[11991:SSLVPN:2e0]SSL state:SSLv3/TLS write server hello (*.*.*.123)
[11991:SSLVPN:2e0]SSL state:SSLv3/TLS write certificate (*.*.*.123)
[11991:SSLVPN:2e0]SSL state:SSLv3/TLS write key exchange (*.*.*.123)
[11991:SSLVPN:2e0]SSL state:SSLv3/TLS write server done (*.*.*.123)
[11991:SSLVPN:2e0]SSL state:SSLv3/TLS write server done:system lib(*.*.*.123)
[11991:SSLVPN:2e0]SSL state:SSLv3/TLS write server done (*.*.*.123)
[11991:SSLVPN:2e0]SSL state:SSLv3/TLS read client key exchange (*.*.*.123)
[11991:SSLVPN:2e0]SSL state:SSLv3/TLS read change cipher spec (*.*.*.123)
[11991:SSLVPN:2e0]SSL state:SSLv3/TLS read finished (*.*.*.123)
[11991:SSLVPN:2e0]SSL state:SSLv3/TLS write session ticket (*.*.*.123)
[11991:SSLVPN:2e0]SSL state:SSLv3/TLS write change cipher spec (*.*.*.123)
[11991:SSLVPN:2e0]SSL state:SSLv3/TLS write finished (*.*.*.123)
[11991:SSLVPN:2e0]SSL state:SSL negotiation finished successfully (*.*.*.123)
[11991:SSLVPN:2e0]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[11991:SSLVPN:2e0]req: /remote/info
[11991:SSLVPN:2e0]req: /remote/login
[11991:SSLVPN:2e0]rmt_web_auth_info_parser_common:469 no session id in auth info
[11991:SSLVPN:2e0]rmt_web_get_access_cache:803 invalid cache, ret=4103
[11991:SSLVPN:2e0]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[11991:SSLVPN:2e0]get_cust_page:129 saml_info 0
[11991:SSLVPN:2e0]req: /remote/logincheck
[11991:SSLVPN:2e0]rmt_web_auth_info_parser_common:469 no session id in auth info
[11991:SSLVPN:2e0]rmt_web_access_check:722 access failed, uri=[/remote/logincheck],ret=4103,
[11991:SSLVPN:2e0]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[11991:SSLVPN:2e0]sslvpn_auth_check_usrgroup:2166 forming user/group list from policy.
[11991:SSLVPN:2e0]sslvpn_auth_check_usrgroup:2272 got user (0) group (2:0).
[11991:SSLVPN:2e0]sslvpn_validate_user_group_list:1697 validating with SSL VPN authentication rules (3), realm ().
[11991:SSLVPN:2e0]sslvpn_validate_user_group_list:1750 checking rule 1 cipher.
[11991:SSLVPN:2e0]sslvpn_validate_user_group_list:1758 checking rule 1 realm.
[11991:SSLVPN:2e0]sslvpn_validate_user_group_list:1769 checking rule 1 source intf.
[11991:SSLVPN:2e0]sslvpn_validate_user_group_list:1808 checking rule 1 vd source intf.
[11991:SSLVPN:2e0]sslvpn_validate_user_group_list:1923 rule 1 done, got user (0:0) group (1:0) peer group (0).
[11991:SSLVPN:2e0]sslvpn_validate_user_group_list:1750 checking rule 2 cipher.
[11991:SSLVPN:2e0]sslvpn_validate_user_group_list:1758 checking rule 2 realm.
[11991:SSLVPN:2e0]sslvpn_validate_user_group_list:1769 checking rule 2 source intf.
[11991:SSLVPN:2e0]sslvpn_validate_user_group_list:1923 rule 2 done, got user (0:0) group (2:0) peer group (0).
[11991:SSLVPN:2e0]sslvpn_validate_user_group_list:1750 checking rule 3 cipher.
[11991:SSLVPN:2e0]sslvpn_validate_user_group_list:1758 checking rule 3 realm.
[11991:SSLVPN:2e0]sslvpn_validate_user_group_list:1769 checking rule 3 source intf.
[11991:SSLVPN:2e0]sslvpn_validate_user_group_list:1923 rule 3 done, got user (0:0) group (2:0) peer group (0).
[11991:SSLVPN:2e0]sslvpn_validate_user_group_list:2082 got user (0:0), group (2:0) peer group (0).
[11991:SSLVPN:2e0]two factor check for user_vpn: off
[11991:SSLVPN:2e0]sslvpn_authenticate_user:191 authenticate user: [user_vpn]
[11991:SSLVPN:2e0]sslvpn_authenticate_user:198 create fam state
[11991:SSLVPN:2e0][fam_auth_send_req_internal:405] Groups sent to FNBAM:
[11991:SSLVPN:2e0]group_desc[0].grpname = VPN-group-1
[11991:SSLVPN:2e0]group_desc[1].grpname = VPN-group-2
[11991:SSLVPN:2e0][fam_auth_send_req_internal:416] FNBAM opt = 0X421
[11991:SSLVPN:2e0]fam_auth_send_req_internal:476 fnbam_auth return: 4
[11991:SSLVPN:2e0]fam_auth_send_req:879 task finished with 4
[11991:SSLVPN:2e0][fam_auth_proc_resp:1240] Authenticated groups by FNBAM:
[11991:SSLVPN:2e0]auth_rsp_data.grp_list[0] = VPN-group-2
[11991:SSLVPN:2e0]Auth successful for user user_vpn in group VPN-group-2
[11991:SSLVPN:2e0]fam_do_cb:655 fnbamd return auth success.
[11991:SSLVPN:2e0]SSL VPN login matched rule (2).
[11991:SSLVPN:2e0]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[11991:SSLVPN:2e0]rmt_web_session_create:825 create web session, idx[10]
[11991:SSLVPN:2e0]login_succeeded:524 redirect to hostcheck
[11991:SSLVPN:2e0]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[11991:SSLVPN:2e0]deconstruct_session_id:426 decode session id ok, user=[user_vpn],group=[VPN-group-2],authserver=[--NPS-1],portal=[SSLVPN-2],host=[*.*.*.123],realm=[],idx=10,auth=2,sid=71e46cac,login=1673614050,access=1673614050,saml_logout_url=no
[11991:SSLVPN:2e0]deconstruct_session_id:426 decode session id ok, user=[user_vpn],group=[VPN-group-2],authserver=[--NPS-1],portal=[SSLVPN-2],host=[*.*.*.123],realm=[],idx=10,auth=2,sid=71e46cac,login=1673614050,access=1673614050,saml_logout_url=no
[11991:SSLVPN:2e0]deconstruct_session_id:426 decode session id ok, user=[user_vpn],group=[VPN-group-2],authserver=[--NPS-1],portal=[SSLVPN-2],host=[*.*.*.123],realm=[],idx=10,auth=2,sid=71e46cac,login=1673614050,access=1673614050,saml_logout_url=no
[11991:SSLVPN:2e0]rmt_hcinstall_cb_handler:289 set session flag to limit check.[11991:SSLVPN:2e0]req: /remote/fortisslvpn
[11991:SSLVPN:2e0]deconstruct_session_id:426 decode session id ok, user=[user_vpn],group=[VPN-group-2],authserver=[--NPS-1],portal=[SSLVPN-2],host=[*.*.*.123],realm=[],idx=10,auth=2,sid=71e46cac,login=1673614050,access=1673614050,saml_logout_url=yes
[11991:SSLVPN:2e0]deconstruct_session_id:426 decode session id ok, user=[user_vpn],group=[VPN-group-2],authserver=[--NPS-1],portal=[SSLVPN-2],host=[*.*.*.123],realm=[],idx=10,auth=2,sid=71e46cac,login=1673614050,access=1673614050,saml_logout_url=no
[11991:SSLVPN:2e0]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[11991:SSLVPN:2e0]req: /remote/fortisslvpn_xml
[11991:SSLVPN:2e0]deconstruct_session_id:426 decode session id ok, user=[user_vpn],group=[VPN-group-2],authserver=[--NPS-1],portal=[SSLVPN-2],host=[*.*.*.123],realm=[],idx=10,auth=2,sid=71e46cac,login=1673614050,access=1673614050,saml_logout_url=yes
[11991:SSLVPN:2e0]deconstruct_session_id:426 decode session id ok, user=[user_vpn],group=[VPN-group-2],authserver=[--NPS-1],portal=[SSLVPN-2],host=[*.*.*.123],realm=[],idx=10,auth=2,sid=71e46cac,login=1673614050,access=1673614050,saml_logout_url=no
[11991:SSLVPN:2e0]rmt_fortisslvpn_xml_cb_handler:2222 Remove old sessions.
[11991:SSLVPN:0]sslvpn_internal_remove_one_web_session:2877 web session (SSLVPN:user_vpn:VPN-group-2:*.*.*.123:19 1) removed for Deleted to make way for another session
[11991:SSLVPN:0]sslvpn_internal_remove_apsession_by_idx:2509 free app session, idx[10]
[11991:SSLVPN:2e0]sslvpn_reserve_dynip:1146 tunnel vd[SSLVPN] ip[*.*.*.11] app session idx[10]
[11991:SSLVPN:2a6]cliRead,1093, read=0, tunnel finish.
[11991:SSLVPN:2a6]fsv_tunnel2_state_cleanup:1348 0x7f645d2c9c00::0x7f6451b8f000
[11991:SSLVPN:2a6]fsv_disassociate_fd_to_ipaddr:1609 deassociate *.*.*.29 from tun (ssl.SSLVPN:62)
[11991:SSLVPN:2a6]session removed s: 0x7f645d2c9c00 (SSLVPN)

 

7 REPLIES 7
abarushka
Staff
Staff

Hello,

 

Could you please elaborate whether you are trying to access the server via web mode or tunnel mode?

FortiGate
JeremyNV

Hello
It's SSLVPN mode in Forticlient. I suppose it's tunnel mode. 

abarushka

Hello,

 

In order to isolate the issue I would recommend to sniff traffic towards server (diagnose sniffer packet any 'host <server IP address>' 4 0 a) and try to reproduce the issue.

FortiGate
JeremyNV

Not sure if it helps, replaces host IP with "host" and server IP with "server":

Spoiler
SSLVPN # diagnose sniffer packet any 'host server and host' 4 0 a
interfaces=[any]
filters=[host server and host]
2023-01-17 11:02:11.469342 port23 in host.50998 -> server: syn 1221404508
2023-01-17 11:02:11.469352 ISP-SSL out host.50998 -> server: syn 1221404508
2023-01-17 11:02:11.469353 port24 out host.50998 -> server: syn 1221404508
2023-01-17 11:02:11.469367 SSL-ISP in host.50998 -> server: syn 1221404508
2023-01-17 11:02:11.469381 SSL-ISP out server -> host.50998: syn 2864276829 ack 1221404509
2023-01-17 11:02:11.469382 port26 out server -> host.50998: syn 2864276829 ack 1221404509
2023-01-17 11:02:11.469395 ISP-SSL in server -> host.50998: syn 2864276829 ack 1221404509
2023-01-17 11:02:11.469404 port23 out server -> host.50998: syn 2864276829 ack 1221404509
2023-01-17 11:02:11.557812 port23 in host.50998 -> server: ack 2864276830
2023-01-17 11:02:11.557820 ISP-SSL out host.50998 -> server: ack 2864276830
2023-01-17 11:02:11.557821 port24 out host.50998 -> server: ack 2864276830
2023-01-17 11:02:11.557834 SSL-ISP in host.50998 -> server: ack 2864276830
2023-01-17 11:02:11.591964 port23 in host.50998 -> server: fin 1221404509 ack 2864276830
2023-01-17 11:02:11.591968 ISP-SSL out host.50998 -> server: fin 1221404509 ack 2864276830
2023-01-17 11:02:11.591968 port24 out host.50998 -> server: fin 1221404509 ack 2864276830
2023-01-17 11:02:11.591981 SSL-ISP in host.50998 -> server: fin 1221404509 ack 2864276830
2023-01-17 11:02:11.592053 SSL-ISP out server -> host.50998: fin 2864276830 ack 1221404510
2023-01-17 11:02:11.592055 port26 out server -> host.50998: fin 2864276830 ack 1221404510
2023-01-17 11:02:11.592069 ISP-SSL in server -> host.50998: fin 2864276830 ack 1221404510
2023-01-17 11:02:11.592073 port23 out server -> host.50998: fin 2864276830 ack 1221404510
2023-01-17 11:02:11.679625 SSL-ISP in host.50998 -> server: ack 2864276831
2023-01-17 11:02:14.936598 port23 in host.50956 -> server: fin 3512938796 ack 2199799432
2023-01-17 11:02:14.936603 ISP-SSL out host.50956 -> server: fin 3512938796 ack 2199799432
2023-01-17 11:02:14.936604 port24 out host.50956 -> server: fin 3512938796 ack 2199799432
2023-01-17 11:02:14.936617 SSL-ISP in host.50956 -> server: fin 3512938796 ack 2199799432
2023-01-17 11:02:14.936666 SSL-ISP out server -> host.50956: fin 2199799432 ack 3512938797
2023-01-17 11:02:14.936668 port26 out server -> host.50956: fin 2199799432 ack 3512938797
2023-01-17 11:02:14.936682 ISP-SSL in server -> host.50956: fin 2199799432 ack 3512938797
2023-01-17 11:02:14.936685 port23 out server -> host.50956: fin 2199799432 ack 3512938797
2023-01-17 11:02:14.948631 port23 in host.51010 -> server: syn 430303881
2023-01-17 11:02:14.948644 ISP-SSL out host.51010 -> server: syn 430303881
2023-01-17 11:02:14.948645 port24 out host.51010 -> server: syn 430303881
2023-01-17 11:02:14.948658 SSL-ISP in host.51010 -> server: syn 430303881
2023-01-17 11:02:14.948673 SSL-ISP out server -> host.51010: syn 571075383 ack 430303882
2023-01-17 11:02:14.948674 port26 out server -> host.51010: syn 571075383 ack 430303882
2023-01-17 11:02:14.948688 ISP-SSL in server -> host.51010: syn 571075383 ack 430303882
2023-01-17 11:02:14.948696 port23 out server -> host.51010: syn 571075383 ack 430303882
2023-01-17 11:02:15.024283 SSL-ISP in host.50956 -> server: ack 2199799433
2023-01-17 11:02:15.038513 port23 in host.51010 -> server: ack 571075384
2023-01-17 11:02:15.038523 ISP-SSL out host.51010 -> server: ack 571075384
2023-01-17 11:02:15.038524 port24 out host.51010 -> server: ack 571075384
2023-01-17 11:02:15.038539 SSL-ISP in host.51010 -> server: ack 571075384
2023-01-17 11:02:15.038841 SSL-ISP in host.51010 -> server: psh 430303882 ack 571075384
2023-01-17 11:02:15.038852 SSL-ISP out server -> host.51010: ack 430304235
2023-01-17 11:02:15.038853 port26 out server -> host.51010: ack 430304235
2023-01-17 11:02:15.043116 SSL-ISP out server -> host.51010: 571075384 ack 430304235
2023-01-17 11:02:15.043119 port26 out server -> host.51010: 571075384 ack 430304235
2023-01-17 11:02:15.043123 SSL-ISP out server -> host.51010: psh 571076796 ack 430304235
2023-01-17 11:02:15.043124 port26 out server -> host.51010: psh 571076796 ack 430304235
2023-01-17 11:02:15.134039 SSL-ISP in host.51010 -> server: ack 571076796
2023-01-17 11:02:15.134182 SSL-ISP in host.51010 -> server: ack 571077438
2023-01-17 11:02:15.146861 SSL-ISP in host.51010 -> server: psh 430304235 ack 571077438
2023-01-17 11:02:15.148902 SSL-ISP out server -> host.51010: psh 571077438 ack 430304393
2023-01-17 11:02:15.148905 port26 out server -> host.51010: psh 571077438 ack 430304393
2023-01-17 11:02:15.237570 SSL-ISP in host.51010 -> server: ack 571077680
2023-01-17 11:02:15.238101 SSL-ISP in host.51010 -> server: psh 430304393 ack 571077680
2023-01-17 11:02:15.238205 SSL-ISP out server -> host.51010: psh 571077680 ack 430304580
2023-01-17 11:02:15.238207 port26 out server -> host.51010: psh 571077680 ack 430304580
2023-01-17 11:02:15.330817 SSL-ISP in host.51010 -> server: ack 571078299
2023-01-17 11:02:15.331385 SSL-ISP in host.51010 -> server: psh 430304580 ack 571078299
2023-01-17 11:02:15.331609 SSL-ISP out server -> host.51010: 571078299 ack 430304768
2023-01-17 11:02:15.331612 port26 out server -> host.51010: 571078299 ack 430304768
2023-01-17 11:02:15.331617 SSL-ISP out server -> host.51010: 571079711 ack 430304768
2023-01-17 11:02:15.331619 port26 out server -> host.51010: 571079711 ack 430304768
2023-01-17 11:02:15.331624 SSL-ISP out server -> host.51010: 571081123 ack 430304768
2023-01-17 11:02:15.331626 port26 out server -> host.51010: 571081123 ack 430304768
2023-01-17 11:02:15.331630 SSL-ISP out server -> host.51010: psh 571082535 ack 430304768
2023-01-17 11:02:15.331631 port26 out server -> host.51010: psh 571082535 ack 430304768
2023-01-17 11:02:15.420735 SSL-ISP in host.51010 -> server: ack 571079711
2023-01-17 11:02:15.420940 SSL-ISP in host.51010 -> server: ack 571081123
2023-01-17 11:02:15.421063 SSL-ISP in host.51010 -> server: ack 571082535
2023-01-17 11:02:15.421066 SSL-ISP in host.51010 -> server: ack 571083582
2023-01-17 11:02:15.424389 SSL-ISP in host.51010 -> server: psh 430304768 ack 571083582
2023-01-17 11:02:15.450528 SSL-ISP out server -> host.51010: psh 571083582 ack 430305294
2023-01-17 11:02:15.450530 port26 out server -> host.51010: psh 571083582 ack 430305294
2023-01-17 11:02:15.540083 SSL-ISP in host.51010 -> server: ack 571084468
2023-01-17 11:02:15.540680 SSL-ISP in host.51010 -> server: psh 430305294 ack 571084468
2023-01-17 11:02:15.541135 SSL-ISP out server -> host.51010: 571084468 ack 430305785
2023-01-17 11:02:15.541137 port26 out server -> host.51010: 571084468 ack 430305785
2023-01-17 11:02:15.541145 SSL-ISP out server -> host.51010: 571085880 ack 430305785
2023-01-17 11:02:15.541148 port26 out server -> host.51010: 571085880 ack 430305785
2023-01-17 11:02:15.541155 SSL-ISP out server -> host.51010: 571087292 ack 430305785
2023-01-17 11:02:15.541157 port26 out server -> host.51010: 571087292 ack 430305785
2023-01-17 11:02:15.541161 SSL-ISP out server -> host.51010: psh 571088704 ack 430305785
2023-01-17 11:02:15.541164 port26 out server -> host.51010: psh 571088704 ack 430305785
2023-01-17 11:02:15.629980 SSL-ISP in host.51010 -> server: ack 571085880
2023-01-17 11:02:15.630315 SSL-ISP in host.51010 -> server: ack 571087292
2023-01-17 11:02:15.631254 SSL-ISP in host.51010 -> server: ack 571088704
2023-01-17 11:02:15.631480 SSL-ISP in host.51010 -> server: ack 571088881
2023-01-17 11:02:15.633859 SSL-ISP in host.51010 -> server: psh 430305785 ack 571088881
2023-01-17 11:02:15.634319 SSL-ISP out server -> host.51010: 571088881 ack 430306280
2023-01-17 11:02:15.634321 port26 out server -> host.51010: 571088881 ack 430306280
2023-01-17 11:02:15.634325 SSL-ISP out server -> host.51010: psh 571090293 ack 430306280
2023-01-17 11:02:15.634326 port26 out server -> host.51010: psh 571090293 ack 430306280
2023-01-17 11:02:15.725046 SSL-ISP in host.51010 -> server: ack 571090293
JeremyNV

Do you have any suggestions on where to look at?

abarushka

Hello,

 

TCP session established successfully. TLS session (if applicable) also most likely established successfully, since there are quite a few packets after TCP session establishment. I would recommend to check logs on the server side.

FortiGate
RachelGomez123
Contributor

To troubleshoot this yourself if you have this error, try eliminate the client as the issue by accessing the web portal through a web browser via xxx.xxx.xxx.xxx:yyy/  where x is your IP and y is your port. Updating FortiClient to the newest version resolved the issue.

 

Regards,

Rachel Gomez

Labels
Top Kudoed Authors