Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
grizbi
New Contributor

Created on ‎02-09-2025 01:20 PM

SSL_accept failed, 1:unexpected eof while reading

Hi,

Quite new on Fortinet config
I'm stuck with this error for a couple of days now on a very simple setup using FortiGate-40F v7.2.8

 

Using FortiClient on ubuntu 22.04 and windows 10 - now far away from the device, I try to set it up using ssh 


diagnose debug application sslvpn -1 shows
SSL_accept failed, 1:unexpected eof while reading

 

/**************    Hereafter  - config vpn ssl settings      *************/
set status enable
set reqclientcert disable
set ssl-max-proto-ver tls1-3
set ssl-min-proto-ver tls1-2
unset banned-cipher
set ciphersuite TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
set ssl-insert-empty-fragment enable
set https-redirect disable
set x-content-type-options enable
set ssl-client-renegotiation disable
set force-two-factor-auth disable
set servercert "Fortinet_Factory"
set algorithm high
set idle-timeout 300
set auth-timeout 28800
set login-attempt-limit 2
set login-block-time 60
set login-timeout 60
set dtls-hello-timeout 30
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set dns-suffix ''
set dns-server1 0.0.0.0
set dns-server2 0.0.0.0
set wins-server1 0.0.0.0
set wins-server2 0.0.0.0
set ipv6-dns-server1 ::
set ipv6-dns-server2 ::
set ipv6-wins-server1 ::
set ipv6-wins-server2 ::
set url-obscuration disable
set http-compression disable
set http-only-cookie enable
set port 10443
set port-precedence enable
set auto-tunnel-static-route enable
set header-x-forwarded-for add
set source-interface "wan"
set source-address "all"
set source-address-negate disable
set source-address6 "all"
set source-address6-negate disable
set default-portal "full-access"
config authentication-rule
edit 1
set groups "SSLVPN_USERS"
set portal "full-access"
set realm ''
set client-cert disable
set cipher high
set auth any
next
end
set browser-language-detection enable
set dtls-tunnel enable
set check-referer disable
set http-request-header-timeout 20
set http-request-body-timeout 30
set auth-session-check-source-ip enable
set tunnel-connect-without-reauth disable
set hsts-include-subdomains disable
set transform-backward-slashes disable
set encode-2f-sequence disable
set encrypt-and-store-password disable
set client-sigalgs all
set dual-stack-mode disable
set tunnel-addr-assigned-method first-available
set saml-redirect-port 8020
set ztna-trusted-client disable
set server-hostname ''
set dtls-max-proto-ver dtls1-2
set dtls-min-proto-ver dtls1-0
end

Please advise if there is any know issue

 

Labels:
1711
0 Kudos
16 REPLIES 16
AEK
SuperUser
SuperUser

Created on ‎02-09-2025 02:08 PM

Hi Grizbi

  • Which FCT version are you using?
  • Do you have the same behavior on Windows and on Ubuntu?
  • The management port (HTTPS) of your FGT is other than 10443, right?

BTW you should update your FOS to 7.2.10. It has nothing to do with your issue but with multiple known vulnerabilities.

AEK
AEK
1085
grizbi
New Contributor
In response to AEK

Created on ‎02-09-2025 02:24 PM Edited on ‎02-09-2025 02:26 PM

FCT 7.2.8 on Ubuntu & Windows
same log message yes
update your FOS to 7.2.10  -> I can't take any risk of losing access to my fortinet firewall gateway  as I'm currently 4000 miles away from it... I only have access to CLI command through ssh (may be a can had routing rules to access 192.168.1.99:443 with ssh tunnel)

1068
0 Kudos
dingjerry_FTNT
Staff
Staff

Created on ‎02-09-2025 02:13 PM

Hi @grizbi ,

 

diagnose debug application sslvpn -1 shows
SSL_accept failed, 1:unexpected eof while reading

 

This is not enough.  Please provide all the outputs.

Regards,

Jerry
1081
grizbi
New Contributor
In response to dingjerry_FTNT

Created on ‎02-09-2025 03:07 PM Edited on ‎02-09-2025 03:11 PM

2025-02-09 14:28:51 [221:root:4]allocSSLConn:310 sconn 0x7fa4e55800 (0:root)
2025-02-09 14:28:51 [221:root:4]SSL state:before SSL initialization (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:before SSL initialization (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]got SNI server name: yy.yy.yy.yy realm (null)
2025-02-09 14:28:51 [221:root:4]client cert requirement: no
2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS read client hello (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS write server hello (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS write change cipher spec (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 early data (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 early data:(null)(xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 early data (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]got SNI server name: yy.yy.yy.yy realm (null)
2025-02-09 14:28:51 [221:root:4]client cert requirement: no
2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS read client hello (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS write server hello (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 write encrypted extensions (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS write certificate (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 write server certificate verify (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS write finished (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 early data (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 early data:(null)(xx.xx.xx.xx)
2025-02-09 14:29:06 [221:root:4]SSL state:fatal decode error (xx.xx.xx.xx)
2025-02-09 14:29:06 [221:root:4]SSL state:error:(null)(xx.xx.xx.xx)
2025-02-09 14:29:06 [221:root:4]SSL_accept failed, 1:unexpected eof while reading
2025-02-09 14:29:06 [221:root:4]Destroy sconn 0x7fa4e55800, connSize=0. (root)

946
0 Kudos
grizbi
New Contributor
In response to grizbi

Created on ‎02-09-2025 03:10 PM

2025-02-09 14:28:51 [221:root:4]allocSSLConn:310 sconn 0x7fa4e55800 (0:root)
2025-02-09 14:28:51 [221:root:4]SSL state:before SSL initialization (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:before SSL initialization (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]got SNI server name: yy.yy.yy.yy realm (null)
2025-02-09 14:28:51 [221:root:4]client cert requirement: no
2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS read client hello (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS write server hello (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS write change cipher spec (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 early data (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 early data:(null)(xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 early data (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]got SNI server name: yy.yy.yy.yy realm (null)
2025-02-09 14:28:51 [221:root:4]client cert requirement: no
2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS read client hello (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS write server hello (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 write encrypted extensions (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS write certificate (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 write server certificate verify (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:SSLv3/TLS write finished (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 early data (xx.xx.xx.xx)
2025-02-09 14:28:51 [221:root:4]SSL state:TLSv1.3 early data:(null)(xx.xx.xx.xx)
2025-02-09 14:29:06 [221:root:4]SSL state:fatal decode error (xx.xx.xx.xx)
2025-02-09 14:29:06 [221:root:4]SSL state:error:(null)(xx.xx.xx.xx)
2025-02-09 14:29:06 [221:root:4]SSL_accept failed, 1:unexpected eof while reading
2025-02-09 14:29:06 [221:root:4]Destroy sconn 0x7fa4e55800, connSize=0. (root)

916
0 Kudos
AEK
SuperUser
SuperUser
In response to grizbi

Created on ‎02-09-2025 03:10 PM

Do you have a DoS policy?

AEK
AEK
1024
grizbi
New Contributor
In response to AEK

Created on ‎02-09-2025 03:11 PM

nope

1018
0 Kudos
grizbi
New Contributor

Created on ‎02-11-2025 12:24 AM

Do you think my problem comes from this? I have two FortiGates: one belongs to my ISP and is connected to the WAN with a public IP, the other is mine and has its WAN connected to the LAN1 port of the first one. 100% of the traffic from the first FortiGate is routed to the second one, but maybe the SNI is not correct, which could be why the certificate verification is failing?

903
0 Kudos
AEK
SuperUser
SuperUser
In response to grizbi

Created on ‎02-11-2025 02:57 AM

So if I understand well, the there is another FGT (FGT-A) between your client and the target FGT (FGT-B) to which you try connect with SSL-VPN, right? And you are using a VIP on FGT-A to map the external IP:port to the internal IP:port, right?

In that case, do you use any SSL inspection profile or security profile in the firewall rule that allows SSL-VPN traffic to pass trough FGT-A?

AEK
AEK
876
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.