Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tonym
New Contributor

N/A User in SSL VPN

Hello,

 

Just want to ask if someone encounter this already. I'm looking at FortiView VPN tab seeing User=n/a with 45mins ago last connection time and a duration of 22h 12m. Can someone explain why there is a n/a user?

 

SSL vpn was setup using only a local user created in the firewall. All user who successfully established a tunnel will be authenticated properly that's why their identity was recorded under "User". Why there is an N/A, is this a failed attempt to ssl vpn? See screenshot below for reference. Thank you in advance whoever give feedback about this

 

 

 

5 REPLIES 5
xSyKoTiKx
New Contributor

I came to find the answer to that same question, but it seems you and I are the only ones asking it.

Debbie_FTNT

Hey SyKoTiK,

are your logs the exact same (user N/A, tunneltype ssl instead of ssl-tunnel/ssl-web)?

When an SSLVPN connection is established, FortiClient may open multiple tunnels at the same time; sometimes one of them doesn't establish properly and you might end up with something like a zombie tunnel with no associated user, and no specific tunnel type.

There shouldn't be any traffic flowing through it.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Sativa23

I have the same.  Traffic is passing though ?

 

n/a usern/a user

srajeswaran

Can you run "get vpn ssl monitor" and check if "in/out" counters to confirm if there is active traffic flow

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

rosatechnocrat
Contributor II

 

* Oftentimes the "N/A" user just means that either the log entry itself doesn't track userinfo, or that no username was provided.
* For example: site-to-site IPsec tunnels frequently don't use usernames for authentication, and therefore any logs for those would show the user field as "N/A".
*  "SSL VPN new connection", do not track the username on that specific log entry. 
* If you look at a bunch of those logs at the same timestamp you will, however, usually be able to see a log entry with the actual user who connected. You can correlate these logs with the "remoteip" field to see if the log is referring to the same remote host.
* Ultimately so long as you don't see many failed login attempts, especially coming from remote-IPs in unexpected countries, the risk is not very high.
* You can check the country of the remote IP from the FortiGate command line as follows: diagnose firewall ipgeo ip2country x.x.x.x <----- enter remote IP there
+ Same information you can check in FortiGate as well, by following below steps.
>Logs & Report > Events > System Events .

Rosa Technocrat -- Also on YouTube---Please do Subscribe
Rosa Technocrat -- Also on YouTube---Please do Subscribe
Top Kudoed Authors