Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RolandBaumgaertner72
Contributor

SSL VPN Connection Error with LDAP

Hi,

 

last week we updated our FG cluster to FG200F with 7.4.5.

We had some problems but in general it seems quite OK. Only with SSL VPN we still have problems and we cnat get it functioning.

1. Connecting with Local User it works fine, I get the certificate window and I can login, no prob!
2. User from LDAP, connection to LDAP works fine, I can even test my credentials and OK but than connecting to the SSL VPN I dont geht the ceretificate pop up and after 48% I get Permission denied and -455

We did the same as in all other FGs. We imported the same remote certificate and everywhere it works. We checked groups and everything and it should be OK.

In System Events VPN I get:
Action ssl-login-fail
Reason sslvpn_login_unknown_user

 

What else can we try? It seems like the FG is not checking the certificate and we try with "Require Client certificate" and without and no change 

 

Thanks!

11 REPLIES 11
salemneaz
Staff
Staff

Hi,

 

Would you please try to follow the article reference given below;

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-Troubleshooting/ta-p/189542

 

You can also try to connect the SSL VPN using the web portal bypassing the FortiClient.

If you are using LDAP user then you can follow the article reference given below to check the user.

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-LDAP-troubleshooting-and-d...

 

Salem
mle2802
Staff
Staff

Hi @RolandBaumgaertner72,

On FortiGate LDAP server config, can you try to test the username/password and see first of all if it is able to authenticate? 

Regards,

HiralShah
Staff
Staff

Hello @RolandBaumgaertner72 

 

Are you using any MFA for LDAP users?

Please check this document if forticlient is stopping at 48% it seems issue with MFA.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Possible-reasons-for-FortiClient-SSL...

 

Hiral
RolandBaumgaertner72
Contributor

Hello,

 

we have no MFA in place. In the Web Mode I get the same message, connection denied. Again, with the local user I can connect via Forticlient and also via web mode. So there is an issue with users in LDAP. Both my users, the local one and also the LDAP is in the same group and also in the same policy so this is also OK. Also I tried my user with the LDAP connection and got OK, also we tried with other users from LDAP and the same problem.

 

The SSL VPN was working with the old FGs, so we just copied the same configuration.

 

2024-10-22 19:58:34 [385:root:57]sslvpn_validate_user_group_list:2613 rule 1 done, got user (0:0) group (1:0) peer group (0).
2024-10-22 19:58:34 [385:root:57]sslvpn_validate_user_group_list:2050 checking rule 2 cipher.
2024-10-22 19:58:34 [385:root:57]sslvpn_validate_user_group_list:2058 checking rule 2 realm.
2024-10-22 19:58:34 [385:root:57]sslvpn_validate_user_group_list:2069 checking rule 2 source intf.
2024-10-22 19:58:34 [385:root:57]sslvpn_validate_user_group_list:2613 rule 2 done, got user (0:0) group (11:0) peer group (0).
2024-10-22 19:58:34 [385:root:57]sslvpn_validate_user_group_list:2621 got user (0:0) group (11:0) peer group (0).
2024-10-22 19:58:34 [385:root:57]sslvpn_validate_user_group_list:2968 got user (0:0), group (11:0) peer group (0).
2024-10-22 19:58:34 [385:root:57]sslvpn_update_user_group_list:1850 got user (0:0), group (11:0), peer group (0) after update.
2024-10-22 19:58:34 [385:root:57]two factor check for Roland Baumgaertner: off
2024-10-22 19:58:34 [385:root:57]sslvpn_authenticate_user:203 authenticate user: [XXXX]
2024-10-22 19:58:34 [385:root:57]sslvpn_authenticate_user:221 create fam state
2024-10-22 19:58:34 [385:root:57][fam_auth_send_req_internal:432] Groups sent to FNBAM:
2024-10-22 19:58:34 [385:root:57]group_desc[0].grpname = VPN SSL XX
2024-10-22 19:58:34 [385:root:57]group_desc[1].grpname = VPN SSL XX
2024-10-22 19:58:34 [385:root:57]group_desc[2].grpname = VPN SSL XX
2024-10-22 19:58:34 [385:root:57]group_desc[3].grpname = VPN SSL XX
2024-10-22 19:58:34 [385:root:57]group_desc[4].grpname = VPN SSL XX
2024-10-22 19:58:34 [385:root:57]group_desc[5].grpname = VPN SSL XX
2024-10-22 19:58:34 [385:root:57]group_desc[6].grpname = VPN SSL XX
2024-10-22 19:58:34 [385:root:57]group_desc[7].grpname = VPN SSL XX
2024-10-22 19:58:34 [385:root:57]group_desc[8].grpname = VPN SSL XX
2024-10-22 19:58:34 [385:root:57]group_desc[9].grpname = VPN SSL XX
2024-10-22 19:58:34 [385:root:57]group_desc[10].grpname = VPN SSL Azure
2024-10-22 19:58:34 [385:root:57][fam_auth_send_req_internal:444] FNBAM opt = 0X200420
2024-10-22 19:58:34 [385:root:57]fam_auth_send_req_internal:513 fnbam_auth return: 4
2024-10-22 19:58:34 [385:root:57]fam_auth_proc_resp:1365 fnbam_auth_update_result return: 5 ((null))
2024-10-22 19:58:34 [385:root:57][fam_auth_proc_resp:1371] An error happened updating the FNBAM response.
2024-10-22 19:58:34 [385:root:57][fam_auth_proc_resp:1505] Authenticated groups (11) by FNBAM with auth_type (1):
2024-10-22 19:58:34 [385:root:57]Received: auth_rsp_data.grp_list[0] = 0
2024-10-22 19:58:34 [385:root:57]Received: auth_rsp_data.grp_list[1] = 0
2024-10-22 19:58:34 [385:root:57]Received: auth_rsp_data.grp_list[2] = 0
2024-10-22 19:58:34 [385:root:57]Received: auth_rsp_data.grp_list[3] = 0
2024-10-22 19:58:34 [385:root:57]Received: auth_rsp_data.grp_list[4] = 0
2024-10-22 19:58:34 [385:root:57]Received: auth_rsp_data.grp_list[5] = 0
2024-10-22 19:58:34 [385:root:57]Received: auth_rsp_data.grp_list[6] = 0
2024-10-22 19:58:34 [385:root:57]Received: auth_rsp_data.grp_list[7] = 0
2024-10-22 19:58:34 [385:root:57]Received: auth_rsp_data.grp_list[8] = 0
2024-10-22 19:58:34 [385:root:57]Received: auth_rsp_data.grp_list[9] = 0
2024-10-22 19:58:34 [385:root:57]Received: auth_rsp_data.grp_list[10] = 13630032
2024-10-22 19:58:34 [385:root:57]login_failed:480 user[XXXX],auth_type=1 failed [sslvpn_login_unknown_user]
2024-10-22 19:58:34 [385:root:57]Transfer-Encoding n/a
2024-10-22 19:58:34 [385:root:57]Content-Length 237

 

 

 

 

RolandBaumgaertner72
Contributor

Hi,

 

since local user work fine and since we have 5 other sites with FG and SSL VPN we are sure that it is a Certificate problem.

 

From auf DC we are not able to export PKCS #12 certificate and honestly I dont remember how we did it on the other FGs. Since I dont have access to the servers I am lost now. We need to get the cert from the DC and import it to this new FG.

 

Any help? Thanks a lot!!

RyanGunn

Did you ever get a resolution on this? I am running into the exact same issue after upgrading to 7.4.5.

RolandBaumgaertner72

No, I am waiting for a remote session with a Fortinet technician.

 

If you say so, maybe it is not related to a certificate issue from the LDAP server. I was thinking it might be a problem.

 

I will let you know in this post

Trovac

We are having the exact same issue after upgrading to 7.4.5 on all our Fortigates, but we tried using a computer with an older version of FortiClient Installed and the exact same user was able to login with the SSL VPN. In the Fortigates logs, we see the exact same public IP, the exact same user, but one says "sslvpn_login_unknown_user" and the other says "login successfully".

Let me know if you find a solution.


Thanks.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors