Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Chet
New Contributor

SSL VPN Web Portal Access Issue

New to Fortinet.  Trying to get our new Fortigate 60E (5.4.6) setup and tested before putting it into production.  Everything seems to be working except for web based SSL VPN access to an internal web server.  I can get to it if I connect with the FortiClient.

 

- When trying to connect to the Fortigate admin console I get "Secure Connection Failed".  (Not sure if you can connect to the admin console that is providing the VPN)

- When trying to connect to the admin console of a wifi access point, I never get a response.  It is waiting forever. Partial debug logs below:

[15718:root:0]ap_write,203, error=Broken pipe. [15718:root:17f]Destroy sconn 0x546d9300, connSize=1. (root) [15718:root:181]SSL state:warning close notify (192.168.99.108) [15718:root:181]sslConnGotoNextState:299 error (last state: 1, closeOp: 0) [15718:root:181]Destroy sconn 0x546d9c00, connSize=0. (root) [15719:root:181]allocSSLConn:276 sconn 0x54647c00 (0:root) [15719:root:181]SSL state:before/accept initialization (192.168.99.108) [15719:root:181]SSL state:SSLv3 read client hello A (192.168.99.108) [15719:root:181]SSL state:SSLv3 write server hello A (192.168.99.108) [15719:root:181]SSL state:SSLv3 write certificate A (192.168.99.108) [15719:root:181]SSL state:SSLv3 write key exchange A (192.168.99.108) [15719:root:181]SSL state:SSLv3 write server done A (192.168.99.108) [15719:root:181]SSL state:SSLv3 flush data (192.168.99.108) [15719:root:181]SSL state:SSLv3 read client certificate A (192.168.99.108) [15719:root:181]SSL state:SSLv3 read client key exchange A:system lib(192.168.99.108) [15719:root:181]SSL state:SSLv3 read client key exchange A:system lib(192.168.99.108) [15719:root:181]SSL state:SSLv3 read client key exchange A (192.168.99.108) [15719:root:181]SSL state:SSLv3 read certificate verify A (192.168.99.108) [15719:root:181]SSL state:SSLv3 read finished A (192.168.99.108) [15719:root:181]SSL state:SSLv3 write session ticket A (192.168.99.108) [15719:root:181]SSL state:SSLv3 write change cipher spec A (192.168.99.108) [15719:root:181]SSL state:SSLv3 write finished A (192.168.99.108) [15719:root:181]SSL state:SSLv3 flush data (192.168.99.108) [15719:root:181]SSL state:SSL negotiation finished successfully (192.168.99.108) [15719:root:181]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 [15719:root:181]req: /remote/portal?action=2 [15719:root:181]deconstruct_session_id:363 decode session id ok, user=[chet],group=[SSL-VPN-users],portal=[full-access],host=[192.168.99.108],realm=[],idx=0,auth=1,sid=6b6a71f5, login=1511541944, access=1511541944 [15719:root:181]deconstruct_session_id:363 decode session id ok, user=[chet],group=[SSL-VPN-users],portal=[full-access],host=[192.168.99.108],realm=[],idx=0,auth=1,sid=6b6a71f5, login=1511541944, access=1511541944

Any troubleshooting help would be appreciated.

6 REPLIES 6
Chet
New Contributor

The issue seems to be with the tests I was trying to run.  After setting up a different test server, it appears to be working as expected.

DirkDuesentrieb
New Contributor

This looks like an issue I have. If you have some minutes for troubleshooting please do this:

Create a packet dump, open it in wireshark and check if you see this:

[ul]
  • Client Hello Nothing interesting here
  • Server Hello  please check the Cipher Suite in this response, eg TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • Server Hello Done Nothing interesting here
  • Client Key Exchange Nothing interesting here
  • Fatal Error I can see "Bad Record MAC" here[/ul]

    In your debug you have "SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384" if this doesn't match the cipher in the Server Hello you hit the same issue - the crypto of the Fortigate is broken!

     

    To create pcaps on the 60E you can use this.

     

    Cheers,

    Dirk 

  • emnoc
    Esteemed Contributor III

    Is your problem  webportal access or tunnel-mode  forticlient? 

    or

     

    is it the unit "admin access"

     

     

    You need to bind the management to a different port number

     

    e.g

     

     

    https://x.x.x.x:8443

    https://x.x.x.x:444

     

     

    config sys gllobal

        set admin-sport 8443

    end

     

    Make sure the port is NOT in use by other process

     

    So your  diag debug app sslvpn  -1 while accessing the VPN or tunnel show your authenticate. So I won't worrying about the SSLVPN

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    pat_wei

    hi Dirk,

     

    Thanks for the explanation, I hope not that the crypto is broken ;))

     

    Actually, when I do  diag debug application sslvpn -1, I do not see the SSL messages related to the backend connection, only the connection from the client to the fortigate, so I don't know how you could from that data conclude that it is broken? The client to the fortigate and the fortigate to the internal page must not use the same TLS ciphersuite, but I don't know how I could troubleshoot. Have a ticket with Fortinet, but it takes time for them to build my environment and test.

     

     

    PS: I did use your tool but when I copy paste the full output it only has 1 packet in pcap.

     

    Still using fgt2eth.exe (the one that works, many seem not to work:

     

    pat_wei
    New Contributor III

    I run into this issue with 61E and 5.4.7 any internal https page with SSL-VPN Web mode fails.

     

    Capture shows TLS alert bad record MAC.

     

    All http pages work, ping works etc. from Quick Connect. But no https.

     

     

    DirkDuesentrieb

    Another "E-Model" - that's interesting. Maybe it is an issue in the NP6lite, D-Models seem to work. Is it possible to disable the crypto acceleration? No standard npu commands seem to work.

     

    Dirk

    Labels
    Top Kudoed Authors