Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

SSL VPN - user authentication error

Hi! I' m a noob at this and is just starting to learn SSL VPN setup. we' re using Fortigate 100A 3.00,build0319,060724. I think I' ve been doing well following every procedure from the " fortigate ssl vpn user guide" , but when I try to login with the username in the web-browser, it doesn' t log me in and gives an error message - " User mds login failed from" . I' m using self-signed server certificate and created users and user groups for SSL VPN. In the log I get this error message: 2011-05-24 17:54:32 log_id=0132099602 type=event subtype=sslvpn-user pri=alert vd=root user=mds rip= action=login status=failure reason=unavail_info msg=" User mds login failed from" Please help!

Hi, and welcome to the forums! The log message only signifies that you have tried to log in too many times; there should be an earlier log entry giving the real reason. To check: - your user group is a Firewall group - you have checked " Allow SSL-VPN Access" in the group definition, pointing to the right SSL web portal. - your policy for SSL access is wan -> internal, SSL_IP_range to internal_IP_range
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Not applicable

Thanks ede! I can' t find any earlier log that points to what you are saying because I only got 50 error logs and they are all the same. anyway, here' s my answer to your checklist: - my user group is under SSL VPN user group type. - In the group definition, I ticked " Enable Web Application" , " HTTP/HTTPS" , " Enable cache clean" and entered " redirect URL" because I' m trying to use web-only mode. - I set the policy to wan1->internal, my source address is " all" , and my destination address is the host address where the website is located. Question: (1) on SSL VPN setting, I enabled SSL-VPN and set the Tunnel IP range to - as per web-only mode settings instruction. Is this right? (2) Are certificates needed for each users and user groups?

a) workaround for logging into memory: use syslog or alert mail, level ' warning' . b) using web mode you don' t have to narrow down the IP range, you' re right c) no, the FGT uses a built-in cert. As I understood your setup I thought you were authenticating with local user+password, not certs. d) your firmware is nearly 5 years old. Without much hassle you could upgrade to 3.00MR7 patch10 (build 754). Fortinet has fixed a lot of early on bugs along the way. Be sure to read the Release Notes before you upgrade, and it might be that you need intermediate versions.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Not applicable

hi ede! sorry for a late reply. I' ve been busy with other stuff a few days ago. answers below: a) done. :) but there isn' t any warning error appeared when I tried logging in again...:( c) yes! you' re right. I' m trying to authenticate user+password...I' m just confused if whether the certificates are still needed or not. d) do i need to pay additional for upgrading my firmware? Does my existing configuration will be deleted when I upgrade it?

I' m just confused if whether the certificates are still needed or not.
As in any SSL connection a cert is used whether you install one or not. When a user first connects to the Web portal he/she will be asked to trust the built-in cert from Fortinet. You could avoid this by installing your own cert on the Fortigate provided that all your users have it installed in their browsers too. My advice: get the SSL VPN working and care for the cert later. It' s icing on the cake.
do i need to pay additional for upgrading my firmware? Does my existing configuration will be deleted when I upgrade it?
You should have a vaild support contract for your hardware (FortiCare or FortiGuard). If so then you have an account at From there you can download firmware for free - during the lifetime of your contract (actually, as long as you have an account). Second, if you UPgrade your config will be kept or even modified automatically to suit the new version. If you DOWNgrade the config will be lost. In any way, get a backup copy of your config before you start! Download the Release Notes for that version when you get the firmware image and READ IT. In the first pages they clearly show how to upgrade, from which version an upgrade is possible etc. As your firmware is really old you' ll have to do some intermediate upgrades - to 3.00MR7 patch 10 at least. If you want to go to v4.00, well, read the Release Notes. I' d think the latest 3.00 version will do (3.00MR7p10).
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Not applicable

Hi Ede! I' m just wondering...Should I upgrade my FGT with ALL the MR3 patches sequentially or just upgrade it with the latest patch of MR3? I didn' t notice any instructions about patches in the release notes. Sorry.

If you' re going to 3.00MR7patch10 then read the Release Notes for that version. It contains a section stating from which version you can update directly. Usually, newer patch versions are cumulative i.e. they contain all patches of the previous patch versions. But please follow the RN on this. BTW, firmware has 3 levels: - version (2.80, 3.00, 4.00) - Maintenance Release (MR) (1...) - patch (1..) so you are planning to upgrade to 3.00 MR7 patch10 (3.7.10 in short). There might be some confusion if you talk about " MR3" and mean " version 3.00" .
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
New Contributor

hi All, when i setting SSL VPN on my FG 200A, i got error is: Permission Denied. Policy, static route, Address, SSL VPN i had config already. anybody help me?

pls post your ssl vpn settings here so that others could assist you

Fortigate Newbie

Fortigate Newbie
Check out our Community Chatter Blog! Click here to get involved
Top Kudoed Authors