I'm using FortiGate 7.0.6, setting up the ospf and the telnet vpn-ip: 9043 is work. (Reached)
The FortiClient VPN try to connect but still stuck at 40%. It's saying the identity certificate is not trust.
Anyone know what's the problem here?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Please check this.
Thanks, I have alrady read this post but in my case there is no warning to click "yes"
Can you collect SSLVPN debug
diagnose debug application sslvpn -1
diagnose debug enable
Hi @srajeswaran, This is SSLVPN Debuglog - The connection hang at 40%.
*I'm run telnet to VPNServer :9043 (SSL Port) Success.
So do you Know what's wrong with these logs?
SOSC # diagnose debug application sslvpn -1
Debug messages will be on for 30 minutes.
SOSC # diagnose debug enable
SOSC # [1590:root:2c]allocSSLConn:307 sconn 0x7f5c53f56c00 (0:root)
[1590:root:2c]SSL state:before SSL initialization (x.x.x.246)
[1590:root:2c]SSL state:before SSL initialization:DH lib(x.x.x.246)
[1590:root:2c]SSL_accept failed, 5:(null)
[1590:root:2c]Destroy sconn 0x7f5c53f56c00, connSize=0. (root)
[1590:root:2d]allocSSLConn:307 sconn 0x7f5c53f56c00 (0:root)
[1590:root:2d]SSL state:before SSL initialization (x.x.x.246)
[1590:root:2d]SSL state:before SSL initialization (x.x.x.246)
[1590:root:2d]no SNI received
[1590:root:2d]client cert requirement: no
[1590:root:2d]SSL state:SSLv3/TLS read client hello (x.x.x.246)
[1590:root:2d]SSL state:SSLv3/TLS write server hello (x.x.x.246)
[1590:root:2d]SSL state:SSLv3/TLS write certificate (x.x.x.246)
[1590:root:2d]SSL state:SSLv3/TLS write key exchange (x.x.x.246)
[1590:root:2d]SSL state:SSLv3/TLS write server done (x.x.x.246)
[1590:root:2d]SSL state:SSLv3/TLS write server done:system lib(x.x.x.246)
[1590:root:2d]SSL state:SSLv3/TLS write server done:DH lib(x.x.x.246)
[1590:root:2d]SSL_accept failed, 5:(null)
[1590:root:2d]Destroy sconn 0x7f5c53f56c00, connSize=0. (root)
[1590:root:2e]allocSSLConn:307 sconn 0x7f5c53f56c00 (0:root)
[1590:root:2e]SSL state:before SSL initialization (x.x.x.246)
[1590:root:2e]SSL state:before SSL initialization (x.x.x.246)
[1590:root:2e]no SNI received
[1590:root:2e]client cert requirement: no
[1590:root:2e]SSL state:SSLv3/TLS read client hello (x.x.x.246)
[1590:root:2e]SSL state:SSLv3/TLS write server hello (x.x.x.246)
[1590:root:2e]SSL state:SSLv3/TLS write certificate (x.x.x.246)
[1590:root:2e]SSL state:SSLv3/TLS write key exchange (x.x.x.246)
[1590:root:2e]SSL state:SSLv3/TLS write server done (x.x.x.246)
[1590:root:2e]SSL state:SSLv3/TLS write server done:system lib(x.x.x.246)
[1590:root:2e]SSL state:SSLv3/TLS write server done:DH lib(x.x.x.246)
[1590:root:2e]SSL_accept failed, 5:(null)
[1590:root:2e]Destroy sconn 0x7f5c53f56c00, connSize=0. (root)
Telnet works because it don't use SSL/certificates.
Can you check if there is any SSL version specified under VPN setting?
config vpn ssl settings
Did you mean this one?
*********************************************************
SOSC (settings) # get
status : enable
reqclientcert : enable
ciphersuite : TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
ssl-insert-empty-fragment: enable
https-redirect : disable
x-content-type-options: enable
ssl-client-renegotiation: disable
force-two-factor-auth: disable
servercert : CustomSignedCert
idle-timeout : 0
auth-timeout : 28800
login-attempt-limit : 2
login-block-time : 60
login-timeout : 30
tunnel-ip-pools : "SSLVPN_TUNNEL_ADDR1"
tunnel-ipv6-pools : "SSLVPN_TUNNEL_IPv6_ADDR1"
dns-suffix :
dns-server1 : 8.8.8.8
dns-server2 : 1.1.1.1
wins-server1 : 0.0.0.0
wins-server2 : 0.0.0.0
ipv6-dns-server1 : ::
ipv6-dns-server2 : ::
ipv6-wins-server1 : ::
ipv6-wins-server2 : ::
url-obscuration : disable
http-compression : disable
http-only-cookie : enable
port : 9043
port-precedence : enable
auto-tunnel-static-route: enable
header-x-forwarded-for: add
source-interface : "Loopback_"
source-address : "all"
source-address-negate: disable
source-address6 : "all"
source-address6-negate: disable
default-portal : VPN SSL Client
authentication-rule:
== [ 1 ]
id: 1
dtls-tunnel : disable
check-referer : disable
http-request-header-timeout: 20
http-request-body-timeout: 30
auth-session-check-source-ip: enable
tunnel-connect-without-reauth: disable
hsts-include-subdomains: disable
transform-backward-slashes: disable
encode-2f-sequence : disable
encrypt-and-store-password: disable
client-sigalgs : all
dual-stack-mode : disable
tunnel-addr-assigned-method: first-available
saml-redirect-port : 8020
web-mode-snat : disable
user-peer :
ideally this output show the "ssl-max-proto-ver " and "ssl-min-proto-ver".
Can you below command
config vpn ssl settings
show full | grep proto-ver
Can you configure the below and check?
set ssl-max-proto-ver tls1-3
set ssl-min-proto-ver tls1-2
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.