Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
idharr1
New Contributor II

Forticlient VPN Permission denied (-455)

Hi, 

im using Fortigate 61F with firmware 7.4.3.

so i create SSL VPN for some user. i try the user id and password before give to them and all works perfectly.

but one user inform me that he cant login with current user id and password that i gave before. the error is permission denied (-455)

i try again in my laptop using this credentials and it succssfully login. im checking the fortivpn software uninstall and install the new one but this problems still exist. please advise what should i do for check ? or maybe this user internet connection prohibited using VPN ?

1 Solution
idharr1
New Contributor II

Hi Aek,

i found solution when checking this log 

[286:root:7]rmt_error_cb_handler:131 Can't get corresponding message for key 400. Use the default error message.

 

just using this setup

 

Upgrade to 6.2.0 at least if 'auth-session-check-source-ip disable' is required.

 

# config vpn ssl settings
    set auth-session-check-source-ip enable | disable

 

 

and now the vpn its works.

 

Thanks.

View solution in original post

3 REPLIES 3
AEK
SuperUser
SuperUser

Hi @idharr1 

Enter this on FG CLI the try initiate a VPN connection.

diagnose debug application sslvpn -1
diagnose debug application fnbamd -1
diagnose debug enable

 Once done please share the output.

AEK
AEK
idharr1
New Contributor II


@AEK wrote:

Hi @idharr1 

Enter this on FG CLI the try initiate a VPN connection.

diagnose debug application sslvpn -1
diagnose debug application fnbamd -1
diagnose debug enable

 Once done please share the output.

 

Hi Aek


forti # [286:root:6]allocSSLConn:312 sconn 0x7f8cc55800 (0:root)
[286:root:6]SSL state:before SSL initialization (103.47.133.65)
[286:root:6]SSL state:fatal decode error (103.47.133.65)
[286:root:6]SSL state:error:(null)(103.47.133.65)
[286:root:6]SSL_accept failed, 1:unexpected eof while reading
[286:root:6]Destroy sconn 0x7f8cc55800, connSize=0. (root)
[287:root:6]allocSSLConn:312 sconn 0x7f8cc55800 (0:root)
[287:root:6]SSL state:before SSL initialization (103.171.147.88)
[287:root:6]SSL state:before SSL initialization (103.171.147.88)
[287:root:6]no SNI received
[287:root:6]client cert requirement: no
[287:root:6]SSL state:SSLv3/TLS read client hello (103.171.147.88)
[287:root:6]SSL state:SSLv3/TLS write server hello (103.171.147.88)
[287:root:6]SSL state:SSLv3/TLS write certificate (103.171.147.88)
[287:root:6]SSL state:SSLv3/TLS write key exchange (103.171.147.88)
[287:root:6]SSL state:SSLv3/TLS write server done (103.171.147.88)
[287:root:6]SSL state:SSLv3/TLS write server done:(null)(103.171.147.88)
[287:root:6]SSL state:SSLv3/TLS write server done (103.171.147.88)
[287:root:6]SSL state:SSLv3/TLS read client key exchange (103.171.147.88)
[287:root:6]SSL state:SSLv3/TLS read change cipher spec (103.171.147.88)
[287:root:6]SSL state:SSLv3/TLS read finished (103.171.147.88)
[287:root:6]SSL state:SSLv3/TLS write session ticket (103.171.147.88)
[287:root:6]SSL state:SSLv3/TLS write change cipher spec (103.171.147.88)
[287:root:6]SSL state:SSLv3/TLS write finished (103.171.147.88)
[287:root:6]SSL state:SSL negotiation finished successfully (103.171.147.88)
[287:root:6]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[287:root:6]req: /remote/info
[287:root:6]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[287:root:6]capability flags: 0x3cdf
[288:root:6]allocSSLConn:312 sconn 0x7f8cc55800 (0:root)
[288:root:6]SSL state:before SSL initialization (103.47.133.104)
[288:root:6]SSL state:before SSL initialization (103.47.133.104)
[288:root:6]no SNI received
[288:root:6]client cert requirement: no
[288:root:6]SSL state:SSLv3/TLS read client hello (103.47.133.104)
[288:root:6]SSL state:SSLv3/TLS write server hello (103.47.133.104)
[288:root:6]SSL state:SSLv3/TLS write certificate (103.47.133.104)
[288:root:6]SSL state:SSLv3/TLS write key exchange (103.47.133.104)
[288:root:6]SSL state:SSLv3/TLS write server done (103.47.133.104)
[288:root:6]SSL state:SSLv3/TLS write server done:(null)(103.47.133.104)
[288:root:6]SSL state:fatal decode error (103.47.133.104)
[288:root:6]SSL state:error:(null)(103.47.133.104)
[288:root:6]SSL_accept failed, 1:unexpected eof while reading
[288:root:6]Destroy sconn 0x7f8cc55800, connSize=0. (root)
[289:root:6]allocSSLConn:312 sconn 0x7f8cc55800 (0:root)
[289:root:6]SSL state:before SSL initialization (103.171.147.97)
[289:root:6]SSL state:before SSL initialization (103.171.147.97)
[289:root:6]no SNI received
[289:root:6]client cert requirement: no
[289:root:6]SSL state:SSLv3/TLS read client hello (103.171.147.97)
[289:root:6]SSL state:SSLv3/TLS write server hello (103.171.147.97)
[289:root:6]SSL state:SSLv3/TLS write certificate (103.171.147.97)
[289:root:6]SSL state:SSLv3/TLS write key exchange (103.171.147.97)
[289:root:6]SSL state:SSLv3/TLS write server done (103.171.147.97)
[289:root:6]SSL state:SSLv3/TLS write server done:(null)(103.171.147.97)
[289:root:6]SSL state:SSLv3/TLS write server done (103.171.147.97)
[289:root:6]SSL state:SSLv3/TLS read client key exchange (103.171.147.97)
[289:root:6]SSL state:SSLv3/TLS read change cipher spec (103.171.147.97)
[289:root:6]SSL state:SSLv3/TLS read finished (103.171.147.97)
[289:root:6]SSL state:SSLv3/TLS write session ticket (103.171.147.97)
[289:root:6]SSL state:SSLv3/TLS write change cipher spec (103.171.147.97)
[289:root:6]SSL state:SSLv3/TLS write finished (103.171.147.97)
[289:root:6]SSL state:SSL negotiation finished successfully (103.171.147.97)
[289:root:6]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[289:root:6]req: /remote/login
[289:root:6]rmt_web_auth_info_parser_common:533 no session id in auth info
[289:root:6]rmt_web_get_access_cache:885 invalid cache, ret=4103
[289:root:6]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[289:root:6]get_cust_page:125 saml_info 0
[287:root:6]SSL state:fatal decode error (103.171.147.88)
[287:root:0]ap_read,105, error=1, errno=0 ssl 0x7f8bfea000 Success. error:0A000126:SSL routines::unexpected eof while reading
[287:root:6]sslvpn_read_request_common,684, ret=-1 error=-1, sconn=0x7f8cc55800.
[287:root:6]Destroy sconn 0x7f8cc55800, connSize=0. (root)
[290:root:6]allocSSLConn:312 sconn 0x7f8cc55800 (0:root)
[290:root:6]SSL state:before SSL initialization (103.47.133.103)
[290:root:6]SSL state:before SSL initialization (103.47.133.103)
[290:root:6]no SNI received
[290:root:6]client cert requirement: no
[290:root:6]SSL state:SSLv3/TLS read client hello (103.47.133.103)
[290:root:6]SSL state:SSLv3/TLS write server hello (103.47.133.103)
[290:root:6]SSL state:SSLv3/TLS write certificate (103.47.133.103)
[290:root:6]SSL state:SSLv3/TLS write key exchange (103.47.133.103)
[290:root:6]SSL state:SSLv3/TLS write server done (103.47.133.103)
[290:root:6]SSL state:SSLv3/TLS write server done:(null)(103.47.133.103)
[290:root:6]SSL state:fatal decode error (103.47.133.103)
[290:root:6]SSL state:error:(null)(103.47.133.103)
[290:root:6]SSL_accept failed, 1:unexpected eof while reading
[290:root:6]Destroy sconn 0x7f8cc55800, connSize=0. (root)
[284:root:7]allocSSLConn:312 sconn 0x7f8cc55800 (0:root)
[284:root:7]SSL state:before SSL initialization (103.171.147.89)
[284:root:7]SSL state:before SSL initialization (103.171.147.89)
[284:root:7]no SNI received
[284:root:7]client cert requirement: no
[284:root:7]SSL state:SSLv3/TLS read client hello (103.171.147.89)
[284:root:7]SSL state:SSLv3/TLS write server hello (103.171.147.89)
[284:root:7]SSL state:SSLv3/TLS write certificate (103.171.147.89)
[284:root:7]SSL state:SSLv3/TLS write key exchange (103.171.147.89)
[284:root:7]SSL state:SSLv3/TLS write server done (103.171.147.89)
[284:root:7]SSL state:SSLv3/TLS write server done:(null)(103.171.147.89)
[284:root:7]SSL state:SSLv3/TLS write server done (103.171.147.89)
[284:root:7]SSL state:SSLv3/TLS read client key exchange (103.171.147.89)
[284:root:7]SSL state:SSLv3/TLS read change cipher spec (103.171.147.89)
[284:root:7]SSL state:SSLv3/TLS read finished (103.171.147.89)
[284:root:7]SSL state:SSLv3/TLS write session ticket (103.171.147.89)
[284:root:7]SSL state:SSLv3/TLS write change cipher spec (103.171.147.89)
[284:root:7]SSL state:SSLv3/TLS write finished (103.171.147.89)
[284:root:7]SSL state:SSL negotiation finished successfully (103.171.147.89)
[284:root:7]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[284:root:7]req: /remote/logincheck
[284:root:7]Transfer-Encoding n/a
[284:root:7]Content-Length 205
[284:root:7]readPostEnter:17 Post Data length 205.
[284:root:7]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[284:root:7]rmt_web_auth_info_parser_common:533 no session id in auth info
[284:root:7]rmt_web_access_check:804 access failed, uri=[/remote/logincheck],ret=4103,
[284:root:7]encoding method 0
[284:root:7]fsv_logincheck_common_handler:1407 user 'NSasongko' has a matched local entry.
[284:root:7]sslvpn_auth_check_usrgroup:3072 forming user/group list from policy.
[284:root:7]sslvpn_auth_check_usrgroup:3119 got user (0) group (2:0).
[284:root:7]sslvpn_validate_user_group_list:1956 validating with SSL VPN authentication rules (1), realm ().
[284:root:7]sslvpn_validate_user_group_list:2050 checking rule 1 cipher.
[284:root:7]sslvpn_validate_user_group_list:2058 checking rule 1 realm.
[284:root:7]sslvpn_validate_user_group_list:2069 checking rule 1 source intf.
[284:root:7]sslvpn_validate_user_group_list:2108 checking rule 1 vd source intf.
[284:root:7]sslvpn_validate_user_group_list:2613 rule 1 done, got user (0:0) group (1:0) peer group (0).
[284:root:7]sslvpn_validate_user_group_list:2621 got user (0:0) group (1:0) peer group (0).
[284:root:7]sslvpn_validate_user_group_list:2968 got user (0:0), group (2:0) peer group (0).
[284:root:7]sslvpn_update_user_group_list:1850 got user (0:0), group (2:0), peer group (0) after update.
[284:root:7]two factor check for NSasongko: off
[284:root:7]sslvpn_authenticate_user:203 authenticate user: [NSasongko]
[284:root:7]sslvpn_authenticate_user:221 create fam state
[284:root:7][fam_auth_send_req_internal:432] Groups sent to FNBAM:
[284:root:7]group_desc[0].grpname = user_VPN_1
[284:root:7][fam_auth_send_req_internal:444] FNBAM opt = 0X200420
local auth is done with user 'NSasongko', ret=7
[284:root:7][1828] handle_req-Rcvd auth_token req 354133238 for NSasongko in
fam_auth_send_req_internal:520 fnbam_auth return: 7
[466] __compose_group_list_from_req-Group 'user_VPN_1', type 1
[284:root:7][fam_auth_send_req_internal:546] Authenticated groups (1) by FNBAM with auth_type (1):
[284:root:7]Received: auth_rsp_data.grp_list[0] = 2
[284:root:7][741] create_auth_token_session-Created auth token session 354133238
fam_auth_send_req_internal:570 found node user_VPN_1:0:, valid:1, auth:0
[284:root:7]Validated: auth_rsp_data.grp_list[0] = user_VPN_1
[289:root:6]Timeout for connection 0x7f8cc55800.

[289:root:6]Destroy sconn 0x7f8cc55800, connSize=0. (root)
[289:root:6]SSL state:warning close notify (103.171.147.97)
[284:root:7]Timeout for connection 0x7f8cc55800.

[284:root:7]Destroy sconn 0x7f8cc55800, connSize=0. (root)
[284:root:7]SSL state:warning close notify (103.171.147.89)
[2228] handle_req-Rcvd auth_cert req id=354133239, len=6371, opt=8
[1148] __cert_auth_ctx_init-req_id=354133239, opt=8
[1164] __cert_auth_ctx_init-OCSP resp is found.
[103] __cert_chg_st- 'Init'
[201] fnbamd_cert_load_certs_from_req-3 cert(s) in req.
[827] __cert_init-req_id=354133239
[876] __cert_build_chain-req_id=354133239
[319] fnbamd_chain_build-Chain discovery, opt 0x19, cur total 1
[337] fnbamd_chain_build-Following depth 0
[382] fnbamd_chain_build-Extend chain by builtin CA cache. (good)
[337] fnbamd_chain_build-Following depth 1
[382] fnbamd_chain_build-Extend chain by builtin CA cache. (good)
[337] fnbamd_chain_build-Following depth 2
[351] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[998] __cert_verify-req_id=354133239
[999] __cert_verify-Chain is complete.
[481] fnbamd_builtin_cert_check-Following cert chain depth 0
[481] fnbamd_builtin_cert_check-Following cert chain depth 1
[504] fnbamd_builtin_cert_check-Builtin CRL found: 244b5494
[481] fnbamd_builtin_cert_check-Following cert chain depth 2
[521] fnbamd_builtin_cert_check-Certificate status is unchecked.
[1039] __cert_verify_do_next-req_id=354133239
[99] __cert_chg_st- 'Validation' -> 'OCSP-Checking'
[1063] __cert_ocsp_check-req_id=354133239
[334] fnbamd_verify_ocsp_response-Cert status: GOOD.
[256] __cert_ocsp_resp_verify-verify_ocsp_response returns 0 -1
[99] __cert_chg_st- 'OCSP-Checking' -> 'Done'
[1086] __cert_done-req_id=354133239
[1502] fnbamd_auth_session_done-Session done, id=354133239
[1131] __fnbamd_cert_auth_run-Exit, req_id=354133239
[1545] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=354133239
[1458] auth_cert_success-id=354133239
[1242] fnbamd_cert_auth_copy_cert_status-req_id=354133239
[1369] fnbamd_cert_auth_copy_cert_status-Cert st 210, req_id=354133239
[229] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 354133239, len=2568
[1333] destroy_auth_cert_session-id=354133239
[1214] fnbamd_cert_auth_uninit-req_id=354133239
[1224] fnbamd_rads_destroy-
[2228] handle_req-Rcvd auth_cert req id=354133240, len=6371, opt=8
[1148] __cert_auth_ctx_init-req_id=354133240, opt=8
[1164] __cert_auth_ctx_init-OCSP resp is found.
[103] __cert_chg_st- 'Init'
[201] fnbamd_cert_load_certs_from_req-3 cert(s) in req.
[827] __cert_init-req_id=354133240
[876] __cert_build_chain-req_id=354133240
[319] fnbamd_chain_build-Chain discovery, opt 0x19, cur total 1
[337] fnbamd_chain_build-Following depth 0
[382] fnbamd_chain_build-Extend chain by builtin CA cache. (good)
[337] fnbamd_chain_build-Following depth 1
[382] fnbamd_chain_build-Extend chain by builtin CA cache. (good)
[337] fnbamd_chain_build-Following depth 2
[351] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[998] __cert_verify-req_id=354133240
[999] __cert_verify-Chain is complete.
[481] fnbamd_builtin_cert_check-Following cert chain depth 0
[481] fnbamd_builtin_cert_check-Following cert chain depth 1
[504] fnbamd_builtin_cert_check-Builtin CRL found: 244b5494
[481] fnbamd_builtin_cert_check-Following cert chain depth 2
[521] fnbamd_builtin_cert_check-Certificate status is unchecked.
[1039] __cert_verify_do_next-req_id=354133240
[99] __cert_chg_st- 'Validation' -> 'OCSP-Checking'
[1063] __cert_ocsp_check-req_id=354133240
[334] fnbamd_verify_ocsp_response-Cert status: GOOD.
[256] __cert_ocsp_resp_verify-verify_ocsp_response returns 0 -1
[99] __cert_chg_st- 'OCSP-Checking' -> 'Done'
[1086] __cert_done-req_id=354133240
[1502] fnbamd_auth_session_done-Session done, id=354133240
[1131] __fnbamd_cert_auth_run-Exit, req_id=354133240
[1545] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=354133240
[1458] auth_cert_success-id=354133240
[1242] fnbamd_cert_auth_copy_cert_status-req_id=354133240
[1369] fnbamd_cert_auth_copy_cert_status-Cert st 210, req_id=354133240
[229] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 354133240, len=2568
[1333] destroy_auth_cert_session-id=354133240
[1214] fnbamd_cert_auth_uninit-req_id=354133240
[1224] fnbamd_rads_destroy-
[285:root:7]allocSSLConn:312 sconn 0x7f8cce9800 (0:root)
[285:root:7]SSL state:before SSL initialization (103.47.133.181)
[285:root:7]SSL state:before SSL initialization (103.47.133.181)
[285:root:7]no SNI received
[285:root:7]client cert requirement: no
[285:root:7]SSL state:SSLv3/TLS read client hello (103.47.133.181)
[285:root:7]SSL state:SSLv3/TLS write server hello (103.47.133.181)
[285:root:7]SSL state:SSLv3/TLS write certificate (103.47.133.181)
[285:root:7]SSL state:SSLv3/TLS write key exchange (103.47.133.181)
[285:root:7]SSL state:SSLv3/TLS write server done (103.47.133.181)
[285:root:7]SSL state:SSLv3/TLS write server done:(null)(103.47.133.181)
[285:root:7]SSL state:fatal decode error (103.47.133.181)
[285:root:7]SSL state:error:(null)(103.47.133.181)
[285:root:7]SSL_accept failed, 1:unexpected eof while reading
[285:root:7]Destroy sconn 0x7f8cce9800, connSize=1. (root)
[286:root:7]allocSSLConn:312 sconn 0x7f8cc55800 (0:root)
[286:root:7]SSL state:before SSL initialization (103.171.147.119)
[286:root:7]SSL state:before SSL initialization (103.171.147.119)
[286:root:7]no SNI received
[286:root:7]client cert requirement: no
[286:root:7]SSL state:SSLv3/TLS read client hello (103.171.147.119)
[286:root:7]SSL state:SSLv3/TLS write server hello (103.171.147.119)
[286:root:7]SSL state:SSLv3/TLS write certificate (103.171.147.119)
[286:root:7]SSL state:SSLv3/TLS write key exchange (103.171.147.119)
[286:root:7]SSL state:SSLv3/TLS write server done (103.171.147.119)
[286:root:7]SSL state:SSLv3/TLS write server done:(null)(103.171.147.119)
[286:root:7]SSL state:SSLv3/TLS write server done (103.171.147.119)
[286:root:7]SSL state:SSLv3/TLS read client key exchange (103.171.147.119)
[286:root:7]SSL state:SSLv3/TLS read change cipher spec (103.171.147.119)
[286:root:7]SSL state:SSLv3/TLS read finished (103.171.147.119)
[286:root:7]SSL state:SSLv3/TLS write session ticket (103.171.147.119)
[286:root:7]SSL state:SSLv3/TLS write change cipher spec (103.171.147.119)
[286:root:7]SSL state:SSLv3/TLS write finished (103.171.147.119)
[286:root:7]SSL state:SSL negotiation finished successfully (103.171.147.119)
[286:root:7]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[286:root:7]req: /remote/logincheck
[286:root:7]Transfer-Encoding n/a
[286:root:7]Content-Length 237
[286:root:7]readPostEnter:17 Post Data length 237.
[286:root:7]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[286:root:7]rmt_web_auth_info_parser_common:533 no session id in auth info
[286:root:7]rmt_web_access_check:804 access failed, uri=[/remote/logincheck],ret=4103,
[286:root:7]encoding method 0
[286:root:7]fsv_logincheck_common_handler:1407 user 'NSasongko' has a matched local entry.
[286:root:7]got checking id 3-2149dbd3
[286:root:0]fsv_logincheck_common_handler:1538 token_type = 2, time_out = 300
[286:root:7]1690 magic checked failed.
[286:root:7]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[286:root:7]Transfer-Encoding n/a
[286:root:7]Content-Length 237
[286:root:0]sslvpn_find_err_msg_array:391 Can't find the value for key: 400
[286:root:7]rmt_error_cb_handler:131 Can't get corresponding message for key 400. Use the default error message.

idharr1
New Contributor II

Hi Aek,

i found solution when checking this log 

[286:root:7]rmt_error_cb_handler:131 Can't get corresponding message for key 400. Use the default error message.

 

just using this setup

 

Upgrade to 6.2.0 at least if 'auth-session-check-source-ip disable' is required.

 

# config vpn ssl settings
    set auth-session-check-source-ip enable | disable

 

 

and now the vpn its works.

 

Thanks.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors