Hi,
last week we updated our FG cluster to FG200F with 7.4.5.
We had some problems but in general it seems quite OK. Only with SSL VPN we still have problems and we cnat get it functioning.
1. Connecting with Local User it works fine, I get the certificate window and I can login, no prob!
2. User from LDAP, connection to LDAP works fine, I can even test my credentials and OK but than connecting to the SSL VPN I dont geht the ceretificate pop up and after 48% I get Permission denied and -455
We did the same as in all other FGs. We imported the same remote certificate and everywhere it works. We checked groups and everything and it should be OK.
In System Events VPN I get:
Action ssl-login-fail
Reason sslvpn_login_unknown_user
What else can we try? It seems like the FG is not checking the certificate and we try with "Require Client certificate" and without and no change
Thanks!
Hi,
Would you please try to follow the article reference given below;
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-Troubleshooting/ta-p/189542
You can also try to connect the SSL VPN using the web portal bypassing the FortiClient.
If you are using LDAP user then you can follow the article reference given below to check the user.
Hi @RolandBaumgaertner72,
On FortiGate LDAP server config, can you try to test the username/password and see first of all if it is able to authenticate?
Regards,
Hello @RolandBaumgaertner72
Are you using any MFA for LDAP users?
Please check this document if forticlient is stopping at 48% it seems issue with MFA.
Hello,
we have no MFA in place. In the Web Mode I get the same message, connection denied. Again, with the local user I can connect via Forticlient and also via web mode. So there is an issue with users in LDAP. Both my users, the local one and also the LDAP is in the same group and also in the same policy so this is also OK. Also I tried my user with the LDAP connection and got OK, also we tried with other users from LDAP and the same problem.
The SSL VPN was working with the old FGs, so we just copied the same configuration.
2024-10-22 19:58:34 [385:root:57]sslvpn_validate_user_group_list:2613 rule 1 done, got user (0:0) group (1:0) peer group (0).
2024-10-22 19:58:34 [385:root:57]sslvpn_validate_user_group_list:2050 checking rule 2 cipher.
2024-10-22 19:58:34 [385:root:57]sslvpn_validate_user_group_list:2058 checking rule 2 realm.
2024-10-22 19:58:34 [385:root:57]sslvpn_validate_user_group_list:2069 checking rule 2 source intf.
2024-10-22 19:58:34 [385:root:57]sslvpn_validate_user_group_list:2613 rule 2 done, got user (0:0) group (11:0) peer group (0).
2024-10-22 19:58:34 [385:root:57]sslvpn_validate_user_group_list:2621 got user (0:0) group (11:0) peer group (0).
2024-10-22 19:58:34 [385:root:57]sslvpn_validate_user_group_list:2968 got user (0:0), group (11:0) peer group (0).
2024-10-22 19:58:34 [385:root:57]sslvpn_update_user_group_list:1850 got user (0:0), group (11:0), peer group (0) after update.
2024-10-22 19:58:34 [385:root:57]two factor check for Roland Baumgaertner: off
2024-10-22 19:58:34 [385:root:57]sslvpn_authenticate_user:203 authenticate user: [XXXX]
2024-10-22 19:58:34 [385:root:57]sslvpn_authenticate_user:221 create fam state
2024-10-22 19:58:34 [385:root:57][fam_auth_send_req_internal:432] Groups sent to FNBAM:
2024-10-22 19:58:34 [385:root:57]group_desc[0].grpname = VPN SSL XX
2024-10-22 19:58:34 [385:root:57]group_desc[1].grpname = VPN SSL XX
2024-10-22 19:58:34 [385:root:57]group_desc[2].grpname = VPN SSL XX
2024-10-22 19:58:34 [385:root:57]group_desc[3].grpname = VPN SSL XX
2024-10-22 19:58:34 [385:root:57]group_desc[4].grpname = VPN SSL XX
2024-10-22 19:58:34 [385:root:57]group_desc[5].grpname = VPN SSL XX
2024-10-22 19:58:34 [385:root:57]group_desc[6].grpname = VPN SSL XX
2024-10-22 19:58:34 [385:root:57]group_desc[7].grpname = VPN SSL XX
2024-10-22 19:58:34 [385:root:57]group_desc[8].grpname = VPN SSL XX
2024-10-22 19:58:34 [385:root:57]group_desc[9].grpname = VPN SSL XX
2024-10-22 19:58:34 [385:root:57]group_desc[10].grpname = VPN SSL Azure
2024-10-22 19:58:34 [385:root:57][fam_auth_send_req_internal:444] FNBAM opt = 0X200420
2024-10-22 19:58:34 [385:root:57]fam_auth_send_req_internal:513 fnbam_auth return: 4
2024-10-22 19:58:34 [385:root:57]fam_auth_proc_resp:1365 fnbam_auth_update_result return: 5 ((null))
2024-10-22 19:58:34 [385:root:57][fam_auth_proc_resp:1371] An error happened updating the FNBAM response.
2024-10-22 19:58:34 [385:root:57][fam_auth_proc_resp:1505] Authenticated groups (11) by FNBAM with auth_type (1):
2024-10-22 19:58:34 [385:root:57]Received: auth_rsp_data.grp_list[0] = 0
2024-10-22 19:58:34 [385:root:57]Received: auth_rsp_data.grp_list[1] = 0
2024-10-22 19:58:34 [385:root:57]Received: auth_rsp_data.grp_list[2] = 0
2024-10-22 19:58:34 [385:root:57]Received: auth_rsp_data.grp_list[3] = 0
2024-10-22 19:58:34 [385:root:57]Received: auth_rsp_data.grp_list[4] = 0
2024-10-22 19:58:34 [385:root:57]Received: auth_rsp_data.grp_list[5] = 0
2024-10-22 19:58:34 [385:root:57]Received: auth_rsp_data.grp_list[6] = 0
2024-10-22 19:58:34 [385:root:57]Received: auth_rsp_data.grp_list[7] = 0
2024-10-22 19:58:34 [385:root:57]Received: auth_rsp_data.grp_list[8] = 0
2024-10-22 19:58:34 [385:root:57]Received: auth_rsp_data.grp_list[9] = 0
2024-10-22 19:58:34 [385:root:57]Received: auth_rsp_data.grp_list[10] = 13630032
2024-10-22 19:58:34 [385:root:57]login_failed:480 user[XXXX],auth_type=1 failed [sslvpn_login_unknown_user]
2024-10-22 19:58:34 [385:root:57]Transfer-Encoding n/a
2024-10-22 19:58:34 [385:root:57]Content-Length 237
Hi,
since local user work fine and since we have 5 other sites with FG and SSL VPN we are sure that it is a Certificate problem.
From auf DC we are not able to export PKCS #12 certificate and honestly I dont remember how we did it on the other FGs. Since I dont have access to the servers I am lost now. We need to get the cert from the DC and import it to this new FG.
Any help? Thanks a lot!!
Did you ever get a resolution on this? I am running into the exact same issue after upgrading to 7.4.5.
No, I am waiting for a remote session with a Fortinet technician.
If you say so, maybe it is not related to a certificate issue from the LDAP server. I was thinking it might be a problem.
I will let you know in this post
We are having the exact same issue after upgrading to 7.4.5 on all our Fortigates, but we tried using a computer with an older version of FortiClient Installed and the exact same user was able to login with the SSL VPN. In the Fortigates logs, we see the exact same public IP, the exact same user, but one says "sslvpn_login_unknown_user" and the other says "login successfully".
Let me know if you find a solution.
Thanks.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.