Problem VPN SSL WEB after upgrade to 7.0.8

FortiMax_it · ‎11-04-2022

Hi,
after updating a Fortigate 60E from version 7.0.7 to version 7.0.8 the RDP via SSL WEB VPN no longer works with any PC, the error "Connection closed!" always appears. If I perform a NAT of the port 3389 from the WAN to the LAN I enter the PC correctly.
I have changed all the possible parameters but I cannot log in, whether I enter my credentials in the bookmark or enter them by hand.
I have already tried to follow this KB but nothing, error: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Unable-to-take-RDP-of-machines-via-SSL-VPN...

Has anyone had the same problem?

FortiMax_it · ‎12-22-2022

@jbro @jnielsen @useribs problem resolved by Fortinet.

To resolve insert this string in the VPN: "set load-balancing-info NULL"

I hope it is set by default in new firmware.

View solution in original post

saicor · ‎01-17-2024

Hi,

I bring the solution from forti support.

After version 7.0.8, including 7.0.12 and 7.0.13, webmode SSLVPN changed the TLS to TLS v1.3 and this TLS is only by default on Windows Server 2022 onwards. If you dont have the register updated to support TLS v1.3, you can do a change on created bookmarks.

Solution:

FW-EST-1 # config vpn ssl web portal

FW-EST-1 (portal) # edit Provider-VPN-Example --> name of your SSLVPN Portal

FW-EST-1 (Provider-VPN-Example) # config bookmark-group

FW-EST-1 (bookmark-group) # edit gui-bookmarks

FW-EST-1 (gui-bookmarks) # config bookmarks

FW-EST-1 (bookmarks) # edit SRV-PRO --> name of your bookmark

FW-EST-1 (SRV-PRO) # set security any

FW-EST-1 (SRV-PRO) # end

The result:

FW-EST-1 (bookmarks) #edit SRV-PRO

FW-EST-1 (SRV-PRO) # show
config bookmarks
edit "SRV-PRO"
set apptype rdp
set description "PRO"
set host "10.10.230.11"
set security any
set port 3389
next
end

This will accept all TLS and finally you will access to your server without the common error "IP_portal:port says Connection closed!"

Thanks.

View solution in original post

Phoenix_Woody · ‎07-18-2023

jbro - did you ever find a solution? We upgraded to 7.0.12 and are having the same issue.

FortiMax_it · ‎12-22-2022

@jbro @jnielsen @useribs problem resolved by Fortinet.

To resolve insert this string in the VPN: "set load-balancing-info NULL"

I hope it is set by default in new firmware.

jbro · ‎12-22-2022

FortiMax -

Thank you so much for your reply.

Unfortunately, no joy for us using that fix. Appreciate the reply though as we are out of ideas here. Packet sniffing our RDP gateway server and we don't see any traffic trying to traverse from the Fortinet so it does seem like it's just instaclosing the connection on that end. Packet sniffs of other servers in that same subnet show normal traffic traversing and doing a config compare between firmware upgrades shows nothing of note changed.

Will continue to update if we figure this out. Thanks for all your help.

jbro · ‎12-22-2022

So - an update - believe it or not this did actually help us ... but in a weird workaround kind of way.

First, the load-balancing-info change did make a difference. However, it doesn't resolve the issue, but for whatever reason, if you pass blank or incorrect credentials on the /sslvpn/frdsviewer.html page you can get to the credentials page of our RDP Gateway server which will allow users to at least work for now.

Such a strange, strange problem.

Fikusir · ‎12-22-2022

I have same issue and "set load-balancing-info NULL" doesnt help!

IT Specialist

Phoenix_Woody · ‎07-18-2023

Hey there FortiMax_it - did you ever get a solution? I am having the same issue on 7.0.12.

kt000791 · ‎09-06-2023

We're having the samem issue after upgrading to 7.0.12. I have a ticket open with support. We'll see......

saicor · ‎12-13-2023

Hello, has support provided the solution?

Thanks.

saicor · ‎01-17-2024

Hi,

I bring the solution from forti support.

After version 7.0.8, including 7.0.12 and 7.0.13, webmode SSLVPN changed the TLS to TLS v1.3 and this TLS is only by default on Windows Server 2022 onwards. If you dont have the register updated to support TLS v1.3, you can do a change on created bookmarks.

Solution:

FW-EST-1 # config vpn ssl web portal

FW-EST-1 (portal) # edit Provider-VPN-Example --> name of your SSLVPN Portal

FW-EST-1 (Provider-VPN-Example) # config bookmark-group

FW-EST-1 (bookmark-group) # edit gui-bookmarks

FW-EST-1 (gui-bookmarks) # config bookmarks

FW-EST-1 (bookmarks) # edit SRV-PRO --> name of your bookmark

FW-EST-1 (SRV-PRO) # set security any

FW-EST-1 (SRV-PRO) # end

The result:

FW-EST-1 (bookmarks) #edit SRV-PRO

FW-EST-1 (SRV-PRO) # show
config bookmarks
edit "SRV-PRO"
set apptype rdp
set description "PRO"
set host "10.10.230.11"
set security any
set port 3389
next
end

This will accept all TLS and finally you will access to your server without the common error "IP_portal:port says Connection closed!"

Thanks.