Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiMax_it
Contributor

Created on ‎11-04-2022 10:02 AM

Problem VPN SSL WEB after upgrade to 7.0.8

Hi,
after updating a Fortigate 60E from version 7.0.7 to version 7.0.8 the RDP via SSL WEB VPN no longer works with any PC, the error "Connection closed!" always appears. If I perform a NAT of the port 3389 from the WAN to the LAN I enter the PC correctly.
I have changed all the possible parameters but I cannot log in, whether I enter my credentials in the bookmark or enter them by hand.
I have already tried to follow this KB but nothing, error: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Unable-to-take-RDP-of-machines-via-SSL-VPN...

Has anyone had the same problem?

Labels:
12219
0 Kudos
2 Solutions
FortiMax_it
Contributor

Created on ‎12-22-2022 02:31 AM

@jbro  @jnielsen  @useribs problem resolved by Fortinet.

To resolve insert this string in the VPN: "set load-balancing-info NULL"

FortiMax_it_0-1671704993801.png

I hope it is set by default in new firmware.

View solution in original post

11750
saicor
New Contributor
In response to saicor

Created on ‎01-17-2024 07:55 AM

Hi,

 

I bring the solution from forti support.

 

After version 7.0.8, including 7.0.12 and 7.0.13, webmode SSLVPN changed the TLS to TLS v1.3 and this TLS is only by default on Windows Server 2022 onwards. If you dont have the register updated to support TLS v1.3, you can do a change on created bookmarks.

 

2024-01-17 16_24_08-.jpg

 

Solution:

 

FW-EST-1 # config vpn ssl web portal

FW-EST-1 (portal) # edit Provider-VPN-Example --> name of your SSLVPN Portal

FW-EST-1 (Provider-VPN-Example) # config bookmark-group

FW-EST-1 (bookmark-group) # edit gui-bookmarks

FW-EST-1 (gui-bookmarks) # config bookmarks

FW-EST-1 (bookmarks) # edit SRV-PRO --> name of your bookmark

FW-EST-1 (SRV-PRO) # set security any

FW-EST-1 (SRV-PRO) # end

 

The result:

 

FW-EST-1 (bookmarks) #edit SRV-PRO

FW-EST-1 (SRV-PRO) # show
config bookmarks
edit "SRV-PRO"
set apptype rdp
set description "PRO"
set host "10.10.230.11"
set security any
set port 3389
next
end

 

This will accept all TLS and finally you will access to your server without the common error "IP_portal:port says Connection closed!"

 

Thanks.

View solution in original post

6204
0 Kudos
18 REPLIES 18
Anthony_E
Community Manager
Community Manager

Created on ‎11-06-2022 10:26 PM

Hello Max,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Regards,

Anthony-Fortinet Community Team.
8139
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎11-10-2022 12:04 AM

Hello Max,

 

We are still looking for an answer to your question.

We will come back to you as soon as we get one.

 

Regards,

Anthony-Fortinet Community Team.
8100
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎11-10-2022 11:08 PM

Hello Max,

 

I have found this document:

 

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/4c952186-4436-11ed-9d74-fa163e...

 

Inside you could find some interesting information.

 

Could you please tell me if it helps?

 

Regards,

Anthony-Fortinet Community Team.
8071
0 Kudos
useribs
New Contributor

Created on ‎12-14-2022 08:34 AM

could you solve it?

7908
0 Kudos
FortiMax_it
Contributor

Created on ‎12-14-2022 04:18 PM Edited on ‎12-15-2022 04:11 PM

Hi folks, the problem is not solved yet. I opened ticket on fortinet but after two weeks still nothing. We have done hundreds of tests, modified the fortigate configuration and also of the RDP machines but, for almost all RDP servers, the error "Connection closed!" is received, even trying the latest firmware.
The only solution was to downgrade to firmware 7.0.7.: all problems disappeared, RDP worked again. Fortinet is investigating.

7899
useribs
New Contributor
In response to FortiMax_it

Created on ‎12-14-2022 11:15 PM

Hi

we have a similar problem , after updating a Fortigate 2201E from version 7.0.7 to version 7.0.9 the RDP via SSL WEB VPN no longer works with any PC, the error "Connection closed"

The problem is that we can't downgrade, the  firmware 7.0.7 have a security issues

 

thanks very much

7883
0 Kudos
jnielsen
Staff
Staff

Created on ‎12-15-2022 12:26 AM

I am not sure if it would help, but could you try the following setting:

config vpn ssl setting
  set encrypt-and-store-password enable

end

7870
FortiMax_it
Contributor
In response to jnielsen

Created on ‎12-21-2022 03:16 PM

Hi, I don't know if we can try the command you gave us. Tomorrow we will go back to the customer because he had two Fortigate 60E in HA, we split them and we downgraded the one in use. Theoretically tomorrow we will reconnect the Fortigate with the latest firmware that had been excluded and put it back in HA with 7.0.7
If the customer allows us (he has been unserved with WEB SSL VPNs for weeks) let's try to put the updated Fortigate to work with the "set encrypt-and-store-password enable" command.

7747
jbro
New Contributor

Created on ‎12-21-2022 12:33 PM

We're having basically the same exact issue except 6.4.10/11. 

Everything works perfectly fine under 6.4.9, but upgrading to either .10 or .11 will break the SSL VPN Web connection to our Terminal Services gateway server.

 

Login to the base URL, provide OTP token, choose bookmark (or manual quicklaunch), authenticate and then instantaneous "Connection Closed" error message. Downgrading to 6.4.9 fixes the issue, but you can't downgrade anymore due to the security concerns. We opened up a ticket with both Fortinet and MSFT and MSFT after spending many hours with us said it's definitely a Fortinet related issue. Fortinet seems to be aware of the issue and will be fixed .12 but there's no ETA. 

 

What's weird is that other RDP sessions to non-Terminal Server Gateways in that subnet works fine. Didn't see anything in the debug on the Fortinet and we're about to start doing packet sniffing on the RDP gateway's subnet. 

 

If anyone comes up with a solution, please post it here because right now our remote users are dead in the water.

7752
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.