Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mmdterry
New Contributor II

Forticlient sslvnp "vpn server not reachable" for all Andorid/chrome devices.

Starting today, all of our devices that use the android forticlient VPN app will not connect, they generate a generic "VPN server not reachable" error and the email alert states "reason="sslvpn_login_permission_denied" msg="SSL user failed to logged in". You can log in to the web client from the device in question, and all of our windows devices are working fine with the forticlient app. The only thing that has changed recently is the move to 6.4.11 a few weeks ago due to the announced exploits. From what I can tell the app hasn't been updated since August so I don't think anything changed there, Anyone else has SSL VPN issues with 6.4.11? I am going to reboot the FW after hours and see if that changes anything.

 

debug from the device is below. The red text looks to be the error.

 

FG100E # [231:root:263]allocSSLConn:298 sconn 0x34557200 (0:root)
[231:root:263]SSL state:before SSL initialization (174.x.x.60)
[231:root:263]SSL state:before SSL initialization (174.x.x.60)
[231:root:263]got SNI server name: 50.x.x.214 realm (null)
[231:root:263]client cert requirement: no
[231:root:263]SSL state:SSLv3/TLS read client hello (174.x.x.60)
[231:root:263]SSL state:SSLv3/TLS write server hello (174.x.x.60)
[231:root:263]SSL state:SSLv3/TLS write change cipher spec (174.x.x.60)
[231:root:263]SSL state:TLSv1.3 early data (174.x.x.60)
[231:root:263]SSL state:TLSv1.3 early data:system lib(174.x.x.60)
[231:root:263]SSL state:TLSv1.3 early data (174.x.x.60)
[231:root:263]got SNI server name: 50.x.x.214 realm (null)
[231:root:263]client cert requirement: no
[231:root:263]SSL state:SSLv3/TLS read client hello (174.x.x.60)
[231:root:263]SSL state:SSLv3/TLS write server hello (174.x.x.60)
[231:root:263]SSL state:TLSv1.3 write encrypted extensions (174.x.x.60)
[231:root:263]SSL state:SSLv3/TLS write certificate (174.x.x.60)
[231:root:263]SSL state:TLSv1.3 write server certificate verify (174.x.x.60)
[231:root:263]SSL state:SSLv3/TLS write finished (174.x.x.60)
[231:root:263]SSL state:TLSv1.3 early data (174.x.x.60)
[231:root:263]SSL state:TLSv1.3 early data:system lib(174.x.x.60)
[231:root:263]SSL state:TLSv1.3 early data (174.x.x.60)
[231:root:263]SSL state:SSLv3/TLS read finished (174.x.x.60)
[231:root:263]SSL state:SSLv3/TLS write session ticket (174.x.x.60)
[231:root:263]SSL state:SSLv3/TLS write session ticket (174.x.x.60)
[231:root:263]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[231:root:263]req: /remote/info?lang=en
[231:root:263]capability flags: 0xdf
[231:root:263]req: /remote/login?lang=en
[231:root:263]rmt_web_auth_info_parser_common:465 no session id in auth info
[231:root:263]rmt_web_get_access_cache:807 invalid cache, ret=4103
[231:root:263]User Agent: FortiSSLVPN (Android; SV1 [SV{v=02.01; f=04;}])
[231:root:263]get_cust_page:127 saml_info 0
[231:root:263]req: /remote/logincheck
[231:root:263]rmt_web_auth_info_parser_common:465 no session id in auth info
[231:root:263]rmt_web_access_check:726 access failed, uri=[/remote/logincheck],ret=4103,
[231:root:263]User Agent: FortiSSLVPN (Android; SV1 [SV{v=02.01; f=04;}])
[231:root:263]rmt_logincheck_cb_handler:1255 user 't****Y' has a matched local entry.
[231:root:263]sslvpn_auth_check_usrgroup:2657 forming user/group list from policy.
[231:root:263]sslvpn_auth_check_usrgroup:2695 got user (0) group (1:0).
[231:root:263]sslvpn_validate_user_group_list:1803 validating with SSL VPN authentication rules (1), realm ().
[231:root:263]sslvpn_validate_user_group_list:1923 checking rule 1 cipher.
[231:root:263]sslvpn_validate_user_group_list:1931 checking rule 1 realm.
[231:root:263]sslvpn_validate_user_group_list:1942 checking rule 1 source intf.
[231:root:263]sslvpn_validate_user_group_list:1981 checking rule 1 vd source intf.
[231:root:263]sslvpn_validate_user_group_list:2262 rule 1 done, got user (0:0) group (1:0) peer group (0).
[231:root:263]sslvpn_validate_user_group_list:2556 got user (0:0), group (1:0) peer group (0).
[231:root:263]sslvpn_update_user_group_list:1749 got user (0:0), group (1:0), peer group (0) after update.
[231:root:263]two factor check for t****Y: off
[231:root:263]sslvpn_authenticate_user:167 authenticate user: [t****Y]
[231:root:263]sslvpn_authenticate_user:174 create fam state
[231:root:263][fam_auth_send_req_internal:425] Groups sent to FNBAM:
[231:root:263]group_desc[0].grpname = remote
[231:root:263][fam_auth_send_req_internal:437] FNBAM opt = 0X200420
[231:root:263]fam_auth_send_req_internal:513 fnbam_auth return: 7
[231:root:263][fam_auth_send_req_internal:539] Authenticated groups (1) by FNBAM:
[231:root:263]Received: auth_rsp_data.grp_list[0] = 2
[231:root:263]fam_auth_send_req_internal:562 found node remote:0:, valid:1
[231:root:263]Validated: auth_rsp_data.grp_list[0] = remote
[232:root:a29]allocSSLConn:298 sconn 0x34556e80 (0:root)
allocSSLConn:298 sconn 0x34556b00 (0:root)
[232:root:a29]SSL state:before SSL initialization (174.x.x.60)
SSL state:before SSL initialization (174.x.x.60)
[230:root:252]SSL state:before SSL initialization (174.x.x.60)
SSL state:before SSL initialization (174.x.x.60)
[232:root:a29]got SNI server name: 50.x.x.214 realm (null)
[232:root:a29]client cert requirement: no
[232:root:a29]SSL state:SSLv3/TLS read client hello (174.x.x.60)
[232:root:a29]SSL state:SSLv3/TLS write server hello (174.x.x.60)
[232:root:a29]SSL state:SSLv3/TLS write change cipher spec (174.x.x.60)
[232:root:a29]SSL state:TLSv1.3 early data (174.x.x.60)
[232:root:a29]SSL state:TLSv1.3 early data:system lib(174.x.x.60)
[230:root:252]got SNI server name: 50.x.x.214 realm (null)
[230:root:252]client cert requirement: no
[230:root:252]SSL state:SSLv3/TLS read client hello (174.x.x.60)
[230:root:252]SSL state:SSLv3/TLS write server hello (174.x.x.60)
[230:root:252]SSL state:SSLv3/TLS write change cipher spec (174.x.x.60)
[230:root:252]SSL state:TLSv1.3 early data (174.x.x.60)
[230:root:252]SSL state:TLSv1.3 early data:system lib(174.x.x.60)
[232:root:a29]SSL state:TLSv1.3 early data (174.x.x.60)
SSL state:TLSv1.3 early data (174.x.x.60)
[230:root:252]got SNI server name: 50.x.x.214 realm (null)
[230:root:252][232:root:a29]client cert requirement: no
got SNI server name: 50.x.x.214 realm (null)
[230:root:252]SSL state:SSLv3/TLS read client hello (174.x.x.60)
[232:root:a29]client cert requirement: no
[232:root:a29]SSL state:SSLv3/TLS read client hello (174.x.x.60)
[230:root:252]SSL state:SSLv3/TLS write server hello (174.x.x.60)
[230:root:252]SSL state:TLSv1.3 write encrypted extensions (174.x.x.60)
[230:root:252]SSL state:SSLv3/TLS write certificate (174.x.x.60)
SSL state:SSLv3/TLS write server hello (174.x.x.60)
[232:root:a29]SSL state:TLSv1.3 write encrypted extensions (174.x.x.60)
[232:root:a29]SSL state:SSLv3/TLS write certificate (174.x.x.60)
[232:root:a29]SSL state:fatal internal error (174.x.x.60)
[232:root:a29]SSL state:error:(null)(174.x.x.60)
[232:root:a29]SSL_accept failed, 1:EVP lib
[232:root:a29]Destroy sconn 0x34556b00, connSize=1. (root)
[230:root:252]SSL state:fatal internal error (174.x.x.60)
[230:root:252]SSL state:error:(null)(174.x.x.60)
[230:root:252]SSL_accept failed, 1:EVP lib
[230:root:252]Destroy sconn 0x34556e80, connSize=3. (root)
[231:root:263]sslvpn_read_request_common,656, ret=-1 error=-1, sconn=0x34557200.
[231:root:263]Destroy sconn 0x34557200, connSize=2. (root)

Terry Duckworth
Terry Duckworth
9 REPLIES 9
lmarinovic
Staff
Staff

Hi Terry,

 

Can you paste your config from CLI for SSL-VPN settings?

 

How are you settings for next?

set reqclientcert 
set sslv2 
set sslv3 

 

Best regards,

 

Lazar

Best regards

Lazar Marinovic
mmdterry
New Contributor II

No sslv2 or sslv3 settings due to being on 6.4.11.

 

FG100E # get vpn ssl settings
status : enable
reqclientcert : disable
ssl-max-proto-ver : tls1-3
ssl-min-proto-ver : tls1-1
banned-cipher :
ciphersuite : TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
ssl-insert-empty-fragment: enable
https-redirect : disable
x-content-type-options: enable
ssl-client-renegotiation: disable
force-two-factor-auth: disable
servercert : 2022wildcard
algorithm : high
idle-timeout : 3600
auth-timeout : 36000
login-attempt-limit : 2
login-block-time : 60
login-timeout : 30
dtls-hello-timeout : 10
tunnel-ip-pools : "SSLVPN_TUNNEL_ADDR1"
tunnel-ipv6-pools : "SSLVPN_TUNNEL_IPv6_ADDR1"
dns-suffix :
dns-server1 : 1*.*.*.33
dns-server2 : 0.0.0.0
wins-server1 : 0.0.0.0
wins-server2 : 0.0.0.0
ipv6-dns-server1 : ::
ipv6-dns-server2 : ::
ipv6-wins-server1 : ::
ipv6-wins-server2 : ::
url-obscuration : disable
http-compression : disable
http-only-cookie : enable
port : 2****
port-precedence : enable
auto-tunnel-static-route: enable
header-x-forwarded-for: add
source-interface : "wan1"
source-address : "all"
source-address-negate: disable
source-address6 : "all"
source-address6-negate: disable
default-portal : tunnel-access
authentication-rule:
== [ 1 ]
id: 1
dtls-tunnel : enable
check-referer : disable
http-request-header-timeout: 20
http-request-body-timeout: 30
auth-session-check-source-ip: enable
tunnel-connect-without-reauth: disable
hsts-include-subdomains: disable
transform-backward-slashes: disable
encode-2f-sequence : disable
encrypt-and-store-password: disable
client-sigalgs : all
dtls-max-proto-ver : dtls1-2
dtls-min-proto-ver : dtls1-0

Terry Duckworth
Terry Duckworth
seshuganesh

Hi Team,

 

 

Can you change SSL VPN server cert to fortinet factory for a while and let us know if its connecting.

If its still not connecting, please collect same SSL VPN debug logs and share with us.

We will check and keep you posted

mmdterry

I'll see if I can try tonight.

 

I have found that is you just keep trying it will eventually connect, might take 20 attempts.

Terry Duckworth
Terry Duckworth
mmdterry

Well, the Factory certificate worked for a few days, but now it's back to doing the same thing with the Android client. Windows forticlient is still working.

 

so I changed back to our wildcard certificate, and now the android devices can connect again. It seems to be every few days something is causing issues until the certificate is changed. I have not tested a reboot to see if i will also resolve but we can't be rebooting a production unit every few days.

 

FG100E # diagnose debug application sslvpn -1
Debug messages will be on for 30 minutes.

FG100E # diagnose debug enable

FG100E # [232:root:b5f]allocSSLConn:298 sconn 0x34edcb00 (0:root)
[232:root:b5f]SSL state:before SSL initialization (68.x.x.x)
[232:root:b5f]SSL state:before SSL initialization (68.x.x.x)
[232:root:b5f]got SNI server name: vpnurl.com realm (null)
[232:root:b5f]client cert requirement: no
[232:root:b5f]SSL state:SSLv3/TLS read client hello (68.x.x.x)
[232:root:b5f]SSL state:SSLv3/TLS write server hello (68.x.x.x)
[232:root:b5f]SSL state:SSLv3/TLS write change cipher spec (68.x.x.x)
[232:root:b5f]SSL state:TLSv1.3 early data (68.x.x.x)
[232:root:b5f]SSL state:TLSv1.3 early data:system lib(68.x.x.x)
[232:root:b5f]SSL state:TLSv1.3 early data (68.x.x.x)
[232:root:b5f]got SNI server name: vpnurl.com realm (null)
[232:root:b5f]client cert requirement: no
[232:root:b5f]SSL state:SSLv3/TLS read client hello (68.x.x.x)
[232:root:b5f]SSL state:SSLv3/TLS write server hello (68.x.x.x)
[232:root:b5f]SSL state:TLSv1.3 write encrypted extensions (68.x.x.x)
[232:root:b5f]SSL state:SSLv3/TLS write certificate (68.x.x.x)
[232:root:b5f]SSL state:TLSv1.3 write server certificate verify (68.x.x.x)
[232:root:b5f]SSL state:SSLv3/TLS write finished (68.x.x.x)
[232:root:b5f]SSL state:TLSv1.3 early data (68.x.x.x)
[232:root:b5f]SSL state:TLSv1.3 early data:system lib(68.x.x.x)
[232:root:b5f]epollFdHandler,577, sconn=0x34edcb00[31,-1,-1,-1,-1], fd=31, event=25.
[232:root:b5f]epollFdHandler:647 s: 0x34edcb00 event: 0x19
[232:root:b5f]Destroy sconn 0x34edcb00, connSize=0. (root)

 

Terry Duckworth
Terry Duckworth
mmdterry

This is still an issue. I have to reboot or change the certificate every week or the android/chrome clients get shut out and can not connect. What else can i do to troubleshoot this? This should not be occuring.

Terry Duckworth
Terry Duckworth
seshuganesh

Ideally it should not happen every week.

Can we raise ticket with TAC team, this requires further troubleshooting

mmdterry

I did. They said Dev is aware of an issue in 6.4.11 that was causing it and provided a workaround that so far seems to have fixed it. I'm keeping an eye on it as its been almost 2 weeks and it's still functioning with out rebooting or swapping certificates.

Terry Duckworth
Terry Duckworth
miki360

Hello,

 

What is the workaround they provieded ?

 

Thanks in advance.

 

Regards,

Labels
Top Kudoed Authors