Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fortiFWuser
Contributor

iPhones do not connect to SSL VPN

Hello, 

 

I have an ongoing issue with iPhone users and the SSL VPN.  

The users connect with certificate and username/password.
Through windows and android devices they connect normally.
If they use iPhone they get timeout. In the fortigate logs I see this error "sslvpn_login_cert_checked_error"
Forti support said to change the subject because there was no RDN matched.
We did not see any different error after changing the subject.

We have the free app on the mobiles.

Any ideas suggestions?

 

Thanks and regards,
Konstantinos

19 REPLIES 19
fortiFWuser

The username is fortitest

At first we had this subject in the certificate

(E = fortitest@darlie.com
CN = fortitest)

 

Then we removed the email 

CN = fortitest

rosatechnocrat

@fortiFWuser :

1> Can you confirm if you are using certificate for machine or user. 

2> Can you please configuration or output for user group configuration. 

 

Issue seems be to be certificate not matching group. 

 

Rosa Technocrat --

Also on YouTube---

Please do Subscribe
Rosa Technocrat --Also on YouTube---Please do Subscribe
fortiFWuser

The certificate is produced by internal CA of the customer and is distributed through AD policies. 

It is a user certificate because it is used through different devices

 

The group also is from LDAP on the firewall

pminarik

If you have valid TAC support, this would be better handled via a support ticket, since someone needs to take a look at the configuration to properly judge the debug outputs.

 

To give you something to work with, here's the peer-user objects that got checked against the received client-certificate, and the reasons why they failed to be matched:

 

"testfortipki" - subject/cn filter didn't match

"username2pki" - CA does not match

"user1" - failed due to an "empty search" in LDAP returning no matching user (guess: certificate likely doesn't contain relevant attributes to be used for lookup)

"user2" - CA does not match

"user3" - same as "user1"

 

The next question you should ask yourself is whichof the above peer-user objects the iPhone client was supposed to match, and then dig further into its failure reason. (this is of course assuming that the iPhone client is using the correct client-certificate)

[ corrections always welcome ]
srajeswaran
Staff
Staff

Hi Konstantinos,

 

Thanks for the debug, will check that . In the meantime could you please confirm the FortiCLient version, I see similar issue reported on 7.0.7 and the same has been fixed in 7.0.8

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
fortiFWuser

We are using the latest 7.0.8.0078

srajeswaran

If you haven't done this already, can you try to edit VPN on Forticlient -

Unselect “Use Certificate” and save.

Then select “Use Certificate” and save. 

Try to connect again.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
fortiFWuser

We have performed that and there was no change

srajeswaran

Can you collect the same debug for a working connection (from non IOS device using client authentication)?

diag debug disable
diag debug reset
diag debug console timestamp enable
diagnostics vpn ssl debug-filter src-addr4 <ipv4-address> <----- here replace with the public ip of the VPN client
diag debug app fnbamd -1
diag debug app sslvpn -1
diag debug en

 

 

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
annamejas
New Contributor

Has this problem finally been solved? Because I actually ran into the problem that when I connect my macbook to the vpn it started to get really hot, this actually scared me, but after quoting this blog https://setapp.com/how-to/how-to-fix-an-overheating-mac I understood how this can be solved and now my laptop works great, if anyone is still running into this, here you find the solution.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors