Starting today, all of our devices that use the android forticlient VPN app will not connect, they generate a generic "VPN server not reachable" error and the email alert states "reason="sslvpn_login_permission_denied" msg="SSL user failed to logged in". You can log in to the web client from the device in question, and all of our windows devices are working fine with the forticlient app. The only thing that has changed recently is the move to 6.4.11 a few weeks ago due to the announced exploits. From what I can tell the app hasn't been updated since August so I don't think anything changed there, Anyone else has SSL VPN issues with 6.4.11? I am going to reboot the FW after hours and see if that changes anything.
debug from the device is below. The red text looks to be the error.
FG100E # [231:root:263]allocSSLConn:298 sconn 0x34557200 (0:root)
[231:root:263]SSL state:before SSL initialization (174.x.x.60)
[231:root:263]SSL state:before SSL initialization (174.x.x.60)
[231:root:263]got SNI server name: 50.x.x.214 realm (null)
[231:root:263]client cert requirement: no
[231:root:263]SSL state:SSLv3/TLS read client hello (174.x.x.60)
[231:root:263]SSL state:SSLv3/TLS write server hello (174.x.x.60)
[231:root:263]SSL state:SSLv3/TLS write change cipher spec (174.x.x.60)
[231:root:263]SSL state:TLSv1.3 early data (174.x.x.60)
[231:root:263]SSL state:TLSv1.3 early data:system lib(174.x.x.60)
[231:root:263]SSL state:TLSv1.3 early data (174.x.x.60)
[231:root:263]got SNI server name: 50.x.x.214 realm (null)
[231:root:263]client cert requirement: no
[231:root:263]SSL state:SSLv3/TLS read client hello (174.x.x.60)
[231:root:263]SSL state:SSLv3/TLS write server hello (174.x.x.60)
[231:root:263]SSL state:TLSv1.3 write encrypted extensions (174.x.x.60)
[231:root:263]SSL state:SSLv3/TLS write certificate (174.x.x.60)
[231:root:263]SSL state:TLSv1.3 write server certificate verify (174.x.x.60)
[231:root:263]SSL state:SSLv3/TLS write finished (174.x.x.60)
[231:root:263]SSL state:TLSv1.3 early data (174.x.x.60)
[231:root:263]SSL state:TLSv1.3 early data:system lib(174.x.x.60)
[231:root:263]SSL state:TLSv1.3 early data (174.x.x.60)
[231:root:263]SSL state:SSLv3/TLS read finished (174.x.x.60)
[231:root:263]SSL state:SSLv3/TLS write session ticket (174.x.x.60)
[231:root:263]SSL state:SSLv3/TLS write session ticket (174.x.x.60)
[231:root:263]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[231:root:263]req: /remote/info?lang=en
[231:root:263]capability flags: 0xdf
[231:root:263]req: /remote/login?lang=en
[231:root:263]rmt_web_auth_info_parser_common:465 no session id in auth info
[231:root:263]rmt_web_get_access_cache:807 invalid cache, ret=4103
[231:root:263]User Agent: FortiSSLVPN (Android; SV1 [SV{v=02.01; f=04;}])
[231:root:263]get_cust_page:127 saml_info 0
[231:root:263]req: /remote/logincheck
[231:root:263]rmt_web_auth_info_parser_common:465 no session id in auth info
[231:root:263]rmt_web_access_check:726 access failed, uri=[/remote/logincheck],ret=4103,
[231:root:263]User Agent: FortiSSLVPN (Android; SV1 [SV{v=02.01; f=04;}])
[231:root:263]rmt_logincheck_cb_handler:1255 user 't****Y' has a matched local entry.
[231:root:263]sslvpn_auth_check_usrgroup:2657 forming user/group list from policy.
[231:root:263]sslvpn_auth_check_usrgroup:2695 got user (0) group (1:0).
[231:root:263]sslvpn_validate_user_group_list:1803 validating with SSL VPN authentication rules (1), realm ().
[231:root:263]sslvpn_validate_user_group_list:1923 checking rule 1 cipher.
[231:root:263]sslvpn_validate_user_group_list:1931 checking rule 1 realm.
[231:root:263]sslvpn_validate_user_group_list:1942 checking rule 1 source intf.
[231:root:263]sslvpn_validate_user_group_list:1981 checking rule 1 vd source intf.
[231:root:263]sslvpn_validate_user_group_list:2262 rule 1 done, got user (0:0) group (1:0) peer group (0).
[231:root:263]sslvpn_validate_user_group_list:2556 got user (0:0), group (1:0) peer group (0).
[231:root:263]sslvpn_update_user_group_list:1749 got user (0:0), group (1:0), peer group (0) after update.
[231:root:263]two factor check for t****Y: off
[231:root:263]sslvpn_authenticate_user:167 authenticate user: [t****Y]
[231:root:263]sslvpn_authenticate_user:174 create fam state
[231:root:263][fam_auth_send_req_internal:425] Groups sent to FNBAM:
[231:root:263]group_desc[0].grpname = remote
[231:root:263][fam_auth_send_req_internal:437] FNBAM opt = 0X200420
[231:root:263]fam_auth_send_req_internal:513 fnbam_auth return: 7
[231:root:263][fam_auth_send_req_internal:539] Authenticated groups (1) by FNBAM:
[231:root:263]Received: auth_rsp_data.grp_list[0] = 2
[231:root:263]fam_auth_send_req_internal:562 found node remote:0:, valid:1
[231:root:263]Validated: auth_rsp_data.grp_list[0] = remote
[232:root:a29]allocSSLConn:298 sconn 0x34556e80 (0:root)
allocSSLConn:298 sconn 0x34556b00 (0:root)
[232:root:a29]SSL state:before SSL initialization (174.x.x.60)
SSL state:before SSL initialization (174.x.x.60)
[230:root:252]SSL state:before SSL initialization (174.x.x.60)
SSL state:before SSL initialization (174.x.x.60)
[232:root:a29]got SNI server name: 50.x.x.214 realm (null)
[232:root:a29]client cert requirement: no
[232:root:a29]SSL state:SSLv3/TLS read client hello (174.x.x.60)
[232:root:a29]SSL state:SSLv3/TLS write server hello (174.x.x.60)
[232:root:a29]SSL state:SSLv3/TLS write change cipher spec (174.x.x.60)
[232:root:a29]SSL state:TLSv1.3 early data (174.x.x.60)
[232:root:a29]SSL state:TLSv1.3 early data:system lib(174.x.x.60)
[230:root:252]got SNI server name: 50.x.x.214 realm (null)
[230:root:252]client cert requirement: no
[230:root:252]SSL state:SSLv3/TLS read client hello (174.x.x.60)
[230:root:252]SSL state:SSLv3/TLS write server hello (174.x.x.60)
[230:root:252]SSL state:SSLv3/TLS write change cipher spec (174.x.x.60)
[230:root:252]SSL state:TLSv1.3 early data (174.x.x.60)
[230:root:252]SSL state:TLSv1.3 early data:system lib(174.x.x.60)
[232:root:a29]SSL state:TLSv1.3 early data (174.x.x.60)
SSL state:TLSv1.3 early data (174.x.x.60)
[230:root:252]got SNI server name: 50.x.x.214 realm (null)
[230:root:252][232:root:a29]client cert requirement: no
got SNI server name: 50.x.x.214 realm (null)
[230:root:252]SSL state:SSLv3/TLS read client hello (174.x.x.60)
[232:root:a29]client cert requirement: no
[232:root:a29]SSL state:SSLv3/TLS read client hello (174.x.x.60)
[230:root:252]SSL state:SSLv3/TLS write server hello (174.x.x.60)
[230:root:252]SSL state:TLSv1.3 write encrypted extensions (174.x.x.60)
[230:root:252]SSL state:SSLv3/TLS write certificate (174.x.x.60)
SSL state:SSLv3/TLS write server hello (174.x.x.60)
[232:root:a29]SSL state:TLSv1.3 write encrypted extensions (174.x.x.60)
[232:root:a29]SSL state:SSLv3/TLS write certificate (174.x.x.60)
[232:root:a29]SSL state:fatal internal error (174.x.x.60)
[232:root:a29]SSL state:error:(null)(174.x.x.60)
[232:root:a29]SSL_accept failed, 1:EVP lib
[232:root:a29]Destroy sconn 0x34556b00, connSize=1. (root)
[230:root:252]SSL state:fatal internal error (174.x.x.60)
[230:root:252]SSL state:error:(null)(174.x.x.60)
[230:root:252]SSL_accept failed, 1:EVP lib
[230:root:252]Destroy sconn 0x34556e80, connSize=3. (root)
[231:root:263]sslvpn_read_request_common,656, ret=-1 error=-1, sconn=0x34557200.
[231:root:263]Destroy sconn 0x34557200, connSize=2. (root)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Terry,
Can you paste your config from CLI for SSL-VPN settings?
How are you settings for next?
set reqclientcert
set sslv2
set sslv3
Best regards,
Lazar
No sslv2 or sslv3 settings due to being on 6.4.11.
FG100E # get vpn ssl settings
status : enable
reqclientcert : disable
ssl-max-proto-ver : tls1-3
ssl-min-proto-ver : tls1-1
banned-cipher :
ciphersuite : TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
ssl-insert-empty-fragment: enable
https-redirect : disable
x-content-type-options: enable
ssl-client-renegotiation: disable
force-two-factor-auth: disable
servercert : 2022wildcard
algorithm : high
idle-timeout : 3600
auth-timeout : 36000
login-attempt-limit : 2
login-block-time : 60
login-timeout : 30
dtls-hello-timeout : 10
tunnel-ip-pools : "SSLVPN_TUNNEL_ADDR1"
tunnel-ipv6-pools : "SSLVPN_TUNNEL_IPv6_ADDR1"
dns-suffix :
dns-server1 : 1*.*.*.33
dns-server2 : 0.0.0.0
wins-server1 : 0.0.0.0
wins-server2 : 0.0.0.0
ipv6-dns-server1 : ::
ipv6-dns-server2 : ::
ipv6-wins-server1 : ::
ipv6-wins-server2 : ::
url-obscuration : disable
http-compression : disable
http-only-cookie : enable
port : 2****
port-precedence : enable
auto-tunnel-static-route: enable
header-x-forwarded-for: add
source-interface : "wan1"
source-address : "all"
source-address-negate: disable
source-address6 : "all"
source-address6-negate: disable
default-portal : tunnel-access
authentication-rule:
== [ 1 ]
id: 1
dtls-tunnel : enable
check-referer : disable
http-request-header-timeout: 20
http-request-body-timeout: 30
auth-session-check-source-ip: enable
tunnel-connect-without-reauth: disable
hsts-include-subdomains: disable
transform-backward-slashes: disable
encode-2f-sequence : disable
encrypt-and-store-password: disable
client-sigalgs : all
dtls-max-proto-ver : dtls1-2
dtls-min-proto-ver : dtls1-0
Hi Team,
Can you change SSL VPN server cert to fortinet factory for a while and let us know if its connecting.
If its still not connecting, please collect same SSL VPN debug logs and share with us.
We will check and keep you posted
I'll see if I can try tonight.
I have found that is you just keep trying it will eventually connect, might take 20 attempts.
Created on 01-01-2023 07:32 AM Edited on 01-01-2023 07:44 AM
Well, the Factory certificate worked for a few days, but now it's back to doing the same thing with the Android client. Windows forticlient is still working.
so I changed back to our wildcard certificate, and now the android devices can connect again. It seems to be every few days something is causing issues until the certificate is changed. I have not tested a reboot to see if i will also resolve but we can't be rebooting a production unit every few days.
FG100E # diagnose debug application sslvpn -1
Debug messages will be on for 30 minutes.
FG100E # diagnose debug enable
FG100E # [232:root:b5f]allocSSLConn:298 sconn 0x34edcb00 (0:root)
[232:root:b5f]SSL state:before SSL initialization (68.x.x.x)
[232:root:b5f]SSL state:before SSL initialization (68.x.x.x)
[232:root:b5f]got SNI server name: vpnurl.com realm (null)
[232:root:b5f]client cert requirement: no
[232:root:b5f]SSL state:SSLv3/TLS read client hello (68.x.x.x)
[232:root:b5f]SSL state:SSLv3/TLS write server hello (68.x.x.x)
[232:root:b5f]SSL state:SSLv3/TLS write change cipher spec (68.x.x.x)
[232:root:b5f]SSL state:TLSv1.3 early data (68.x.x.x)
[232:root:b5f]SSL state:TLSv1.3 early data:system lib(68.x.x.x)
[232:root:b5f]SSL state:TLSv1.3 early data (68.x.x.x)
[232:root:b5f]got SNI server name: vpnurl.com realm (null)
[232:root:b5f]client cert requirement: no
[232:root:b5f]SSL state:SSLv3/TLS read client hello (68.x.x.x)
[232:root:b5f]SSL state:SSLv3/TLS write server hello (68.x.x.x)
[232:root:b5f]SSL state:TLSv1.3 write encrypted extensions (68.x.x.x)
[232:root:b5f]SSL state:SSLv3/TLS write certificate (68.x.x.x)
[232:root:b5f]SSL state:TLSv1.3 write server certificate verify (68.x.x.x)
[232:root:b5f]SSL state:SSLv3/TLS write finished (68.x.x.x)
[232:root:b5f]SSL state:TLSv1.3 early data (68.x.x.x)
[232:root:b5f]SSL state:TLSv1.3 early data:system lib(68.x.x.x)
[232:root:b5f]epollFdHandler,577, sconn=0x34edcb00[31,-1,-1,-1,-1], fd=31, event=25.
[232:root:b5f]epollFdHandler:647 s: 0x34edcb00 event: 0x19
[232:root:b5f]Destroy sconn 0x34edcb00, connSize=0. (root)
This is still an issue. I have to reboot or change the certificate every week or the android/chrome clients get shut out and can not connect. What else can i do to troubleshoot this? This should not be occuring.
Ideally it should not happen every week.
Can we raise ticket with TAC team, this requires further troubleshooting
I did. They said Dev is aware of an issue in 6.4.11 that was causing it and provided a workaround that so far seems to have fixed it. I'm keeping an eye on it as its been almost 2 weeks and it's still functioning with out rebooting or swapping certificates.
Hello,
What is the workaround they provieded ?
Thanks in advance.
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.