I tried to reach out to another #FortiGate through the SSL-VPN client connection but it's not established.
I ran a debug command on the SSL-VPN server to figure out the issue.
I received these logs:
2024-01-16 18:07:19 [260:root:19]allocSSLConn:310 sconn 0x7fab546000 (0:root)
2024-01-16 18:07:21 [260:root:19]SSL state:before SSL initialization (X.X.X.X)
2024-01-16 18:07:21 [260:root:19]SSL state:fatal decode error (X.X.X.X)
2024-01-16 18:07:21 [260:root:19]SSL state:error:(null)(X.X.X.X)
2024-01-16 18:07:21 [260:root:19]SSL_accept failed, 1:unexpected eof while reading
2024-01-16 18:07:21 [260:root:19]Destroy sconn 0x7fab546000, connSize=0. (root)
I used easy-rsa to create a server-client self-signed cert bundle to use for this purpose.
Another thing that I should mention is that whenever I am using "openfortivpn" package in Ubuntu or FortiClient VPN and addressing those self-signed certificate locations for the CA, server cert, and user key, the connection is established without any problem.
I wonder if you have any idea how to sort out this issue.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The problem matches a known problem in version 7.4.1 and has already been fixed in 7.4.2.
ID 933985 - FortiGate as SSL VPN client does not work on NP6 and NP6XLite devices.
The issue was resolved after upgrading the firewalls to v7.4.2.
In case the 2 FGTs are different in versions, it is probably due to SSL/TLS negotiation. If this is the case, it may be resolved by aligning SSL versions on both ends, or by updating the lowest FGT.
@AEK Thanks for the reply.
That wouldn't be the case since both firewalls are in the same version (v7.4.1).
In both firewalls minimum TLS version is 1.2 and the maximum is 1.3.
The same certificate bundle is also uploaded on both.
Hi @jumia,
Is there any firewalls in between which is doing certificate inspection/deep inspection?
Regards,
@hbac
No, there isn't any firewall in between.
The problem matches a known problem in version 7.4.1 and has already been fixed in 7.4.2.
ID 933985 - FortiGate as SSL VPN client does not work on NP6 and NP6XLite devices.
The issue was resolved after upgrading the firewalls to v7.4.2.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.