Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
waaalex
New Contributor III

Created on ‎10-01-2015 02:09 AM

SOLVED SSLVPN : Error logon -12 auth_type=16 failed [sslvpn_login_permission_denied]

Hello all,

We have severals vpnssl and clients connect with forticleint SSLPVN.

 

I created a new VPNSSL but i can't connect, logon denied.

Fortigate 100D v5.2.4,build688 (GA)

 

What i've done :

Creation of a new group in ActiveDirectory, i put some users in member.

creation of a new group in forti and map it with AD

Creation of a new address scope for VPN

Creation and configuration of a new portal SSL

Creation of policies for this VPN.

 

I'm pretty sur i've missed something but what...

 

diag debug sslvpn :

[94:root:1729]allocSSLConn:245 sconn 0x2a98d1b000 (0:root)
[94:root:1729]SSL state:before/accept initialization (xx.xx.xx.xx)
[94:root:1729]SSL_accept returned 0.

[94:root:1729]Destroy sconn 0x2a98d1b000, connSize=3. (root)
[95:root:1728]allocSSLConn:245 sconn 0x2a98c61c00 (0:root)
[95:root:1728]SSL state:before/accept initialization (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 read client hello A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 write server hello A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 write certificate A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 write key exchange A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 write server done A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 flush data (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 read client certificate A:system lib(xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 read client certificate A:system lib(xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 read client key exchange A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 read certificate verify A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 read finished A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 write change cipher spec A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 write finished A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 flush data (xx.xx.xx.xx)
[95:root:1728]SSL state:SSL negotiation finished successfully (xx.xx.xx.xx)
[95:root:1728]SSL established: TLSv1.2 ECDHE-RSA-AES256-SHA384
[95:root:1728]req: /remote/login
[95:root:1728]rmt_authutil.c:418 no session id in auth info
[95:root:1728]rmt_authutil.c:701 invalid cache, ret=4103
[95:root:1728]req: /remote/logincheck
[95:root:1728]rmt_authutil.c:418 no session id in auth info
[95:root:1728]rmt_authutil.c:639 access failed, uri=[/remote/logincheck],ret=4103,
[95:root:1728]sslvpn_auth_check_usrgroup:1702 forming user/group list from policy.
[95:root:1728]sslvpn_auth_check_usrgroup:1740 got user (1) group (3:0).
[95:root:1728]sslvpn_validate_user_group_list:1384 validating with SSL VPN authentication rules (7), realm ().
[95:root:1728]sslvpn_validate_user_group_list:1432 checking rule 1 cipher.
[95:root:1728]sslvpn_validate_user_group_list:1440 checking rule 1 realm.
[95:root:1728]sslvpn_validate_user_group_list:1451 checking rule 1 source intf.
[95:root:1728]sslvpn_validate_user_group_list:1472 checking rule 1 source address.
[95:root:1728]sslvpn_validate_user_group_list:1552 rule 1 done, got user (0) group (1:0).
[95:root:1728]sslvpn_validate_user_group_list:1432 checking rule 2 cipher.
[95:root:1728]sslvpn_validate_user_group_list:1440 checking rule 2 realm.
[95:root:1728]sslvpn_validate_user_group_list:1451 checking rule 2 source intf.
[95:root:1728]sslvpn_validate_user_group_list:1472 checking rule 2 source address.
[95:root:1728]sslvpn_validate_user_group_list:1552 rule 2 done, got user (0) group (2:0).
[95:root:1728]sslvpn_validate_user_group_list:1432 checking rule 3 cipher.
[95:root:1728]sslvpn_validate_user_group_list:1440 checking rule 3 realm.
[95:root:1728]sslvpn_validate_user_group_list:1451 checking rule 3 source intf.
[95:root:1728]sslvpn_validate_user_group_list:1472 checking rule 3 source address.
[95:root:1728]sslvpn_validate_user_group_list:1552 rule 3 done, got user (0) group (3:0).
[95:root:1728]sslvpn_validate_user_group_list:1432 checking rule 4 cipher.
[95:root:1728]sslvpn_validate_user_group_list:1440 checking rule 4 realm.
[95:root:1728]sslvpn_validate_user_group_list:1451 checking rule 4 source intf.
[95:root:1728]sslvpn_validate_user_group_list:1472 checking rule 4 source address.
[95:root:1728]sslvpn_validate_user_group_list:1552 rule 4 done, got user (1) group (3:0).
[95:root:1728]sslvpn_validate_user_group_list:1432 checking rule 5 cipher.
[95:root:1728]sslvpn_validate_user_group_list:1440 checking rule 5 realm.
[95:root:1728]sslvpn_validate_user_group_list:1451 checking rule 5 source intf.
[95:root:1728]sslvpn_validate_user_group_list:1472 checking rule 5 source address.
[95:root:1728]sslvpn_validate_user_group_list:1432 checking rule 6 cipher.
[95:root:1728]sslvpn_validate_user_group_list:1440 checking rule 6 realm.
[95:root:1728]sslvpn_validate_user_group_list:1451 checking rule 6 source intf.
[95:root:1728]sslvpn_validate_user_group_list:1472 checking rule 6 source address.
[95:root:1728]sslvpn_validate_user_group_list:1432 checking rule 7 cipher.
[95:root:1728]sslvpn_validate_user_group_list:1440 checking rule 7 realm.
[95:root:1728]sslvpn_validate_user_group_list:1451 checking rule 7 source intf.
[95:root:1728]sslvpn_validate_user_group_list:1472 checking rule 7 source address.
[95:root:1728]sslvpn_validate_user_group_list:1638 got user (1), group (3:0).
[95:root:1728]two factor check for xxxx: off
[95:root:1728]sslvpn_authenticate_user:168 authenticate user: [xxxx]
[95:root:1728]sslvpn_authenticate_user:175 create fam state
[95:root:1728]fam_auth_send_req:514 with server blacklist:
[95:root:1728]fam_auth_send_req_internal:414 fnbam_auth return: 4
[95:root:1728]Auth failed due to group restrictions
[95:root:1728]rmt_logincheck.c:250 user[xxxx],auth_type=16 failed [sslvpn_login_permission_denied]
[95:root:0]rmt_websession.c:77 status=1;host=xx.xx.xx.xx;fails=1;logintime=1443692633
[95:root:1728]rmt_authutil.c:418 no session id in auth info
[95:root:1728]rmt_authutil.c:701 invalid cache, ret=4103
[95:root:1728]req: /
[95:root:1728]mza: 0x1de8980 /rmt_index.html
[95:root:1728]def: 0x1de8980 /rmt_index.html
[95:root:1728]req: /remote/index
[95:root:1728]def: (nil) /remote/index
[95:root:1728]req: /remote/fortisslvpn
[95:root:1728]rmt_authutil.c:418 no session id in auth info
[95:root:1728]rmt_authutil.c:639 access failed, uri=[/remote/fortisslvpn],ret=4103,
[95:root:1728]req: /remote/login
[95:root:1728]rmt_authutil.c:418 no session id in auth info
[95:root:1728]rmt_authutil.c:701 invalid cache, ret=4103
[95:root:1728]Timeout for connection 0x2a98c61c00.

[95:root:1728]Destroy sconn 0x2a98c61c00, connSize=1. (root)

 

Thank you.

Regards,

Alex.

 

36801
0 Kudos
1 REPLY 1
waaalex
New Contributor III

Created on ‎10-08-2015 06:00 AM

I answer to my post.

It's ok now.

In policies, i had to enter VPN groups in users section.

13441
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.