Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Leonid_stanishevskiy
New Contributor II

VPN problem 98%

Hello community

I am looking for your help in solving the issue with SSL VPN connection. The problem exists only on 1 computer when connected to any Fortigate device. The credentials are correct.

 

Problem: when you turn on the computer for the first time, when you try to establish a connection, it immediately breaks after connecting. On repeated attempts, it remains at 98% and does not move.

 

error from the client's log:

22.10.2021 14:28:22 error sslvpn FortiSslvpn: 12772: error: poll_send_ssl ->SSL_get_error(): 5, try:1 22.10.2021 14:28:22 error sslvpn FortiSslvpn: 12772: error: poll_send_ssl -> WSAGetLastError():2746, try:1 22.10.2021 14:28:22 error sslvpn FortiSslvpn: 12772: error: poll_send_ssl ->data size: 86, try:1 22.10.2021 14:28:22 error sslvpn FortiSslvpn: 12772: [handle_driver_read_event]: error: poll_send 22.10.2021 14:28:22 error sslvpn FortiSslvpn: 15248: error: poll_recv_ssl -> SSL_get_error(): 5 22.10.2021 14:28:22 error sslvpn FortiSslvpn: 15248: error: poll_recv_ssl -> WSAGetLastError():2746

 

Log from device:


[193:root:70e]SSL state:before SSL initialization (000.000.000.000)
[193:root:70e]SSL state:before SSL initialization:DH lib(000.000.000.000)
[193:root:70e]SSL_accept failed, 5:(null)
[193:root:70e]Destroy sconn 0x36186600, connSize=1. (root)
[11005:root:35b]allocSSLConn:280 sconn 0x360e0f00 (0:root)
[11005:root:35b]SSL state:before SSL initialization (000.000.000.000)
[11005:root:35b]SSL state:before SSL initialization (000.000.000.000)
[11005:root:35b]SSL state:SSLv3/TLS read client hello (000.000.000.000)
[11005:root:35b]SSL state:SSLv3/TLS write server hello (000.000.000.000)
[11005:root:35b]SSL state:SSLv3/TLS write certificate (000.000.000.000)
[11005:root:35b]SSL state:SSLv3/TLS write key exchange (000.000.000.000)
[11005:root:35b]SSL state:SSLv3/TLS write server done (000.000.000.000)
[11005:root:35b]SSL state:SSLv3/TLS write server done:system lib(000.000.000.000)
[11005:root:35b]SSL state:SSLv3/TLS write server done:DH lib(000.000.000.000)
[11005:root:35b]SSL_accept failed, 5:(null)
[11005:root:35b]Destroy sconn 0x360e0f00, connSize=2. (root)
[195:root:70d]allocSSLConn:280 sconn 0x361a6f00 (0:root)
[195:root:70d]SSL state:before SSL initialization (000.000.000.000)
[195:root:70d]SSL state:before SSL initialization (000.000.000.000)
[195:root:70d]SSL state:SSLv3/TLS read client hello (000.000.000.000)
[195:root:70d]SSL state:SSLv3/TLS write server hello (000.000.000.000)
[195:root:70d]SSL state:SSLv3/TLS write certificate (000.000.000.000)
[195:root:70d]SSL state:SSLv3/TLS write key exchange (000.000.000.000)
[195:root:70d]SSL state:SSLv3/TLS write server done (000.000.000.000)
[195:root:70d]SSL state:SSLv3/TLS write server done:system lib(000.000.000.000)
[195:root:70d]SSL state:SSLv3/TLS write server done (000.000.000.000)
[195:root:70d]SSL state:SSLv3/TLS read client key exchange (000.000.000.000)
[195:root:70d]SSL state:SSLv3/TLS read change cipher spec (000.000.000.000)
[195:root:70d]SSL state:SSLv3/TLS read finished (000.000.000.000)
[195:root:70d]SSL state:SSLv3/TLS write session ticket (000.000.000.000)
[195:root:70d]SSL state:SSLv3/TLS write change cipher spec (000.000.000.000)
[195:root:70d]SSL state:SSLv3/TLS write finished (000.000.000.000)
[195:root:70d]SSL state:SSL negotiation finished successfully (000.000.000.000)
[195:root:70d]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[195:root:70d]req: /remote/info
[195:root:70d]req: /remote/login
[195:root:70d]rmt_web_auth_info_parser_common:433 no session id in auth info
[195:root:70d]rmt_web_get_access_cache:752 invalid cache, ret=4103
[195:root:70d]req: /remote/logincheck
[195:root:70d]rmt_web_auth_info_parser_common:433 no session id in auth info
[195:root:70d]rmt_web_access_check:678 access failed, uri=[/remote/logincheck],ret=4103,
[195:root:70d]rmt_logincheck_cb_handler:890 user '________' has a matched local entry.
[195:root:70d]sslvpn_auth_check_usrgroup:1762 forming user/group list from policy.
[195:root:70d]sslvpn_auth_check_usrgroup:1804 got user (0) group (1:0).
[195:root:70d]sslvpn_validate_user_group_list:1432 validating with SSL VPN authentication rules (2), realm ().
[195:root:70d]sslvpn_validate_user_group_list:1480 checking rule 1 cipher.
[195:root:70d]sslvpn_validate_user_group_list:1488 checking rule 1 realm.
[195:root:70d]sslvpn_validate_user_group_list:1499 checking rule 1 source intf.
[195:root:70d]sslvpn_validate_user_group_list:1538 checking rule 1 vd source intf.
[195:root:70d]sslvpn_validate_user_group_list:1610 rule 1 done, got user (0) group (0:0).
[195:root:70d]sslvpn_validate_user_group_list:1480 checking rule 2 cipher.
[195:root:70d]sslvpn_validate_user_group_list:1488 checking rule 2 realm.
[195:root:70d]sslvpn_validate_user_group_list:1499 checking rule 2 source intf.
[195:root:70d]sslvpn_validate_user_group_list:1610 rule 2 done, got user (0) group (1:0).
[195:root:70d]sslvpn_validate_user_group_list:1698 got user (0), group (1:0).
[195:root:70d]two factor check for ________: off
[195:root:70d]sslvpn_authenticate_user:167 authenticate user: [________]
[195:root:70d]sslvpn_authenticate_user:174 create fam state
[195:root:70d]fam_auth_send_req:559 with server blacklist:
[195:root:70d]fam_auth_send_req_internal:442 fnbam_auth return: 0
[195:root:70d]fam_auth_send_req_internal:448 authentication OK
[195:root:70d]fam_do_cb:478 fnbamd return auth success.
[195:root:70d]SSL VPN login matched rule (2).
[195:root:70d]rmt_bind_oif:562 bind device,sock=32,if=[wan1]
[195:root:70d]login_succeeded:382 redirect to hostcheck
[195:root:70d]deconstruct_session_id:375 decode session id ok, user=[________],group=[GENEL],portal=[TUNNEL],host=[000.000.000.000],realm=[],idx=5,auth=1,sid=184cb8d8, login=1633414118, access=1633414118
[195:root:70d]deconstruct_session_id:375 decode session id ok, user=[________],group=[GENEL],portal=[TUNNEL],host=[000.000.000.000],realm=[],idx=5,auth=1,sid=184cb8d8, login=1633414118, access=1633414118
[195:root:70d]deconstruct_session_id:375 decode session id ok, user=[________],group=[GENEL],portal=[TUNNEL],host=[000.000.000.000],realm=[],idx=5,auth=1,sid=184cb8d8, login=1633414118, access=1633414118
[195:root:70d]deconstruct_session_id:375 decode session id ok, user=[________],group=[GENEL],portal=[TUNNEL],host=[000.000.000.000],realm=[],idx=5,auth=1,sid=184cb8d8, login=1633414118, access=1633414118
[195:root:70d]req: /remote/fortisslvpn
[195:root:70d]deconstruct_session_id:375 decode session id ok, user=[________],group=[GENEL],portal=[TUNNEL],host=[000.000.000.000],realm=[],idx=5,auth=1,sid=184cb8d8, login=1633414118, access=1633414118
[195:root:70d]rmt_bind_oif:562 bind device,sock=32,if=[wan1]
[195:root:70d]deconstruct_session_id:375 decode session id ok, user=[________],group=[GENEL],portal=[TUNNEL],host=[000.000.000.000],realm=[],idx=5,auth=1,sid=184cb8d8, login=1633414118, access=1633414118
[195:root:70d]form_ipv4_split_tunnel_addr:1555 Matched policy (id = 30) to add split tunnel routing address
[195:root:70d]form_ipv4_split_tunnel_addr:1555 Matched policy (id = 29) to add split tunnel routing address
[195:root:70d]req: /remote/fortisslvpn_xml
[195:root:70d]deconstruct_session_id:375 decode session id ok, user=[________],group=[GENEL],portal=[TUNNEL],host=[000.000.000.000],realm=[],idx=5,auth=1,sid=184cb8d8, login=1633414118, access=1633414118
[195:root:70d]rmt_bind_oif:562 bind device,sock=32,if=[wan1]
[195:root:70d]deconstruct_session_id:375 decode session id ok, user=[________],group=[GENEL],portal=[TUNNEL],host=[000.000.000.000],realm=[],idx=5,auth=1,sid=184cb8d8, login=1633414118, access=1633414118
[195:root:70d]sslvpn_reserve_dynip:1118 tunnel vd[root] ip[172.16.199.6]
[195:root:70d]form_ipv4_split_tunnel_addr:1555 Matched policy (id = 30) to add split tunnel routing address
[195:root:70d]form_ipv4_split_tunnel_addr:1555 Matched policy (id = 29) to add split tunnel routing address
[193:root:70f]allocSSLConn:280 sconn 0x36186600 (0:root)
[193:root:70f]SSL state:before SSL initialization (000.000.000.000)
[193:root:70f]SSL state:before SSL initialization (000.000.000.000)
[193:root:70f]SSL state:SSLv3/TLS read client hello (000.000.000.000)
[193:root:70f]SSL state:SSLv3/TLS write server hello (000.000.000.000)
[193:root:70f]SSL state:SSLv3/TLS write certificate (000.000.000.000)
[193:root:70f]SSL state:SSLv3/TLS write key exchange (000.000.000.000)
[193:root:70f]SSL state:SSLv3/TLS write server done (000.000.000.000)
[193:root:70f]SSL state:SSLv3/TLS write server done:system lib(000.000.000.000)
[193:root:70f]SSL state:SSLv3/TLS write server done (000.000.000.000)
[193:root:70f]SSL state:SSLv3/TLS read client key exchange (000.000.000.000)
[193:root:70f]SSL state:SSLv3/TLS read change cipher spec (000.000.000.000)
[193:root:70f]SSL state:SSLv3/TLS read finished (000.000.000.000)
[193:root:70f]SSL state:SSLv3/TLS write session ticket (000.000.000.000)
[193:root:70f]SSL state:SSLv3/TLS write change cipher spec (000.000.000.000)
[193:root:70f]SSL state:SSLv3/TLS write finished (000.000.000.000)
[193:root:70f]SSL state:SSL negotiation finished successfully (000.000.000.000)
[193:root:70f]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[193:root:70f]req: /remote/fortisslvpn_xml
[193:root:70f]deconstruct_session_id:375 decode session id ok, user=[________],group=[GENEL],portal=[TUNNEL],host=[000.000.000.000],realm=[],idx=5,auth=1,sid=184cb8d8, login=1633414118, access=1633414118
[193:root:70f]rmt_bind_oif:562 bind device,sock=29,if=[wan1]
[193:root:70f]deconstruct_session_id:375 decode session id ok, user=[________],group=[GENEL],portal=[TUNNEL],host=[000.000.000.000],realm=[],idx=5,auth=1,sid=184cb8d8, login=1633414118, access=1633414118
[193:root:70f]form_ipv4_split_tunnel_addr:1555 Matched policy (id = 30) to add split tunnel routing address
[193:root:70f]form_ipv4_split_tunnel_addr:1555 Matched policy (id = 29) to add split tunnel routing address
[193:root:70f]req: /remote/sslvpn-tunnel2?dns0=10.35.1.1&dn
[193:root:70f]sslvpn_tunnel2_handler,50, Calling rmt_conn_access_ex.
[193:root:70f]deconstruct_session_id:375 decode session id ok, user=[________],group=[GENEL],portal=[TUNNEL],host=[000.000.000.000],realm=[],idx=5,auth=1,sid=184cb8d8, login=1633414118, access=1633414118
[193:root:70f]rmt_bind_oif:562 bind device,sock=29,if=[wan1]
[193:root:70f]client sent request without hostname (see RFC2616 section 14.23): /.
[193:root:70f]sslConnGotoNextState:296 error (last state: 1, closeOp: 0)
[193:root:70f]Destroy sconn 0x36186600, connSize=1. (root)
[195:root:70d]Timeout for connection 0x361a6f00.

 

7 REPLIES 7
rwpatterson
Valued Contributor III

What are the versions of the Fortigate and the SSL VPN client?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Leonid_stanishevskiy

I have Forty Client (only vpn) 7.0.1.0083

I tried to install Full Client, I tried reinstall windows, and i tried do all from tjis link

http://kontech.net/forticlient-vpn-connection-getting-stuck-at-status-98/

It all didn't help

vodbad
New Contributor

Did you find solution for this , We have the same issue on our side fct 6.4.6 

AHMED_E
New Contributor II

ON FCT try to enable log level of debug, see this link: https://kb.fortinet.com/kb/documentLink.do?externalID=FD38644

 

- On FGT cli run the below:

dia vpn ssl debug-filter src-addr4   xxx.xxx.xx.xx <-- replace xxx with your machine public IP (use google what is my IP )

dia de consol tim en 

dia de app sslvpn -1

dia de enable   <-- To stop, dia de disable

 

- While debug is running on FGT cli, connect to VPN from FCT.

- While FCT is connected run the following on FGT:

get vpn ssl monitor 

dia firewall auth list 

 

- After FCT is dropped, please export and attach log file from FCT and debug output from FGT (in txt file please).

- If possible, share below config from FGT:

show vpn ssl settings

 

Once you submit the above debug I will review it.

 

I am L2 TAC - NSE7

I am L2 TAC - NSE7
Leonid_stanishevskiy

The log from the device was attached above. I'm duplicating it now

Leonid_stanishevskiy

dear community. any ideas what might help in my case?

RinoBroer
New Contributor III

For me the problem occurs when I apply SSL deep inspection to the VPN traffic. If I except the VPN gateway address from SSL deep inspection the problem is not present. I am using FortiClient VPN 7.0.7

Rino Broer
Rino Broer
Labels
Top Kudoed Authors