Hello,
I have an ongoing issue with iPhone users and the SSL VPN.
The users connect with certificate and username/password.
Through windows and android devices they connect normally.
If they use iPhone they get timeout. In the fortigate logs I see this error "sslvpn_login_cert_checked_error"
Forti support said to change the subject because there was no RDN matched.
We did not see any different error after changing the subject.
We have the free app on the mobiles.
Any ideas suggestions?
Thanks and regards,
Konstantinos
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The username is fortitest
At first we had this subject in the certificate
(E = fortitest@darlie.com
CN = fortitest)
Then we removed the email
CN = fortitest
1> Can you confirm if you are using certificate for machine or user.
2> Can you please configuration or output for user group configuration.
Issue seems be to be certificate not matching group.
The certificate is produced by internal CA of the customer and is distributed through AD policies.
It is a user certificate because it is used through different devices
The group also is from LDAP on the firewall
If you have valid TAC support, this would be better handled via a support ticket, since someone needs to take a look at the configuration to properly judge the debug outputs.
To give you something to work with, here's the peer-user objects that got checked against the received client-certificate, and the reasons why they failed to be matched:
"testfortipki" - subject/cn filter didn't match
"username2pki" - CA does not match
"user1" - failed due to an "empty search" in LDAP returning no matching user (guess: certificate likely doesn't contain relevant attributes to be used for lookup)
"user2" - CA does not match
"user3" - same as "user1"
The next question you should ask yourself is whichof the above peer-user objects the iPhone client was supposed to match, and then dig further into its failure reason. (this is of course assuming that the iPhone client is using the correct client-certificate)
Hi Konstantinos,
Thanks for the debug, will check that . In the meantime could you please confirm the FortiCLient version, I see similar issue reported on 7.0.7 and the same has been fixed in 7.0.8
We are using the latest 7.0.8.0078
If you haven't done this already, can you try to edit VPN on Forticlient -
Unselect “Use Certificate” and save.
Then select “Use Certificate” and save.
Try to connect again.
We have performed that and there was no change
Can you collect the same debug for a working connection (from non IOS device using client authentication)?
diag debug disable
diag debug reset
diag debug console timestamp enable
diagnostics vpn ssl debug-filter src-addr4 <ipv4-address> <----- here replace with the public ip of the VPN client
diag debug app fnbamd -1
diag debug app sslvpn -1
diag debug en
Has this problem finally been solved? Because I actually ran into the problem that when I connect my macbook to the vpn it started to get really hot, this actually scared me, but after quoting this blog https://setapp.com/how-to/how-to-fix-an-overheating-mac I understood how this can be solved and now my laptop works great, if anyone is still running into this, here you find the solution.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1527 | |
1020 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.