New to Fortinet. Trying to get our new Fortigate 60E (5.4.6) setup and tested before putting it into production. Everything seems to be working except for web based SSL VPN access to an internal web server. I can get to it if I connect with the FortiClient.
- When trying to connect to the Fortigate admin console I get "Secure Connection Failed". (Not sure if you can connect to the admin console that is providing the VPN)
- When trying to connect to the admin console of a wifi access point, I never get a response. It is waiting forever. Partial debug logs below:
[15718:root:0]ap_write,203, error=Broken pipe. [15718:root:17f]Destroy sconn 0x546d9300, connSize=1. (root) [15718:root:181]SSL state:warning close notify (192.168.99.108) [15718:root:181]sslConnGotoNextState:299 error (last state: 1, closeOp: 0) [15718:root:181]Destroy sconn 0x546d9c00, connSize=0. (root) [15719:root:181]allocSSLConn:276 sconn 0x54647c00 (0:root) [15719:root:181]SSL state:before/accept initialization (192.168.99.108) [15719:root:181]SSL state:SSLv3 read client hello A (192.168.99.108) [15719:root:181]SSL state:SSLv3 write server hello A (192.168.99.108) [15719:root:181]SSL state:SSLv3 write certificate A (192.168.99.108) [15719:root:181]SSL state:SSLv3 write key exchange A (192.168.99.108) [15719:root:181]SSL state:SSLv3 write server done A (192.168.99.108) [15719:root:181]SSL state:SSLv3 flush data (192.168.99.108) [15719:root:181]SSL state:SSLv3 read client certificate A (192.168.99.108) [15719:root:181]SSL state:SSLv3 read client key exchange A:system lib(192.168.99.108) [15719:root:181]SSL state:SSLv3 read client key exchange A:system lib(192.168.99.108) [15719:root:181]SSL state:SSLv3 read client key exchange A (192.168.99.108) [15719:root:181]SSL state:SSLv3 read certificate verify A (192.168.99.108) [15719:root:181]SSL state:SSLv3 read finished A (192.168.99.108) [15719:root:181]SSL state:SSLv3 write session ticket A (192.168.99.108) [15719:root:181]SSL state:SSLv3 write change cipher spec A (192.168.99.108) [15719:root:181]SSL state:SSLv3 write finished A (192.168.99.108) [15719:root:181]SSL state:SSLv3 flush data (192.168.99.108) [15719:root:181]SSL state:SSL negotiation finished successfully (192.168.99.108) [15719:root:181]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 [15719:root:181]req: /remote/portal?action=2 [15719:root:181]deconstruct_session_id:363 decode session id ok, user=[chet],group=[SSL-VPN-users],portal=[full-access],host=[192.168.99.108],realm=[],idx=0,auth=1,sid=6b6a71f5, login=1511541944, access=1511541944 [15719:root:181]deconstruct_session_id:363 decode session id ok, user=[chet],group=[SSL-VPN-users],portal=[full-access],host=[192.168.99.108],realm=[],idx=0,auth=1,sid=6b6a71f5, login=1511541944, access=1511541944
Any troubleshooting help would be appreciated.
The issue seems to be with the tests I was trying to run. After setting up a different test server, it appears to be working as expected.
This looks like an issue I have. If you have some minutes for troubleshooting please do this:
Create a packet dump, open it in wireshark and check if you see this:
[ul]In your debug you have "SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384" if this doesn't match the cipher in the Server Hello you hit the same issue - the crypto of the Fortigate is broken!
To create pcaps on the 60E you can use this.
Cheers,
Dirk
Is your problem webportal access or tunnel-mode forticlient?
or
is it the unit "admin access"
You need to bind the management to a different port number
e.g
config sys gllobal
set admin-sport 8443
end
Make sure the port is NOT in use by other process
So your diag debug app sslvpn -1 while accessing the VPN or tunnel show your authenticate. So I won't worrying about the SSLVPN
PCNSE
NSE
StrongSwan
hi Dirk,
Thanks for the explanation, I hope not that the crypto is broken ;))
Actually, when I do diag debug application sslvpn -1, I do not see the SSL messages related to the backend connection, only the connection from the client to the fortigate, so I don't know how you could from that data conclude that it is broken? The client to the fortigate and the fortigate to the internal page must not use the same TLS ciphersuite, but I don't know how I could troubleshoot. Have a ticket with Fortinet, but it takes time for them to build my environment and test.
PS: I did use your tool but when I copy paste the full output it only has 1 packet in pcap.
Still using fgt2eth.exe (the one that works, many seem not to work:
I run into this issue with 61E and 5.4.7 any internal https page with SSL-VPN Web mode fails.
Capture shows TLS alert bad record MAC.
All http pages work, ping works etc. from Quick Connect. But no https.
Another "E-Model" - that's interesting. Maybe it is an issue in the NP6lite, D-Models seem to work. Is it possible to disable the crypto acceleration? No standard npu commands seem to work.
Dirk
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.