Hello,
I have Fortinet 60 F device. An error showed up while trying to connect via SSLVpn that too many bad login attempts.-455 . When I check firewall failed authentication parts I saw that there are a lot of attempts to login. I am adding the screenshot. What can I do as an emergency solution? Thanks in advance.
Hi,
Please share below logs to dig further.
PuTTY SSH1:
------------
get vpn ssl monitor
diagnose vpn ssl list
diagnose firewall auth list
dia vpn ssl statistics
exec vpn sslvpn list
get system status
diag vpn ssl stat
PuTTY SSH2:
------------
diag sys flash list
diag debug reset
diagnose debug console timestamp en
diagnose vpn ssl debug-filter src-addr4 x.x.x.x - Here x.x.x.x is the public IP of the user connecting.
diag debug appl sslvpn -1
diag debug appl fn -1
diag debug enable
wait till the VPN disconnect, disable the logs by executing
diag debug disable
diag debug reset
Created on 12-04-2024 05:23 AM Edited on 12-04-2024 05:24 AM
Hi.
I am adding the results below.
# get vpn ssl monitor
SSL-VPN Login Users:
Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth
SSL-VPN sessions:
Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
# diagnose firewall auth list
----- 0 listed, 0 filtered ------
# dia vpn ssl statistics
SSLVPN statistics (root):
------------------
Memory unit: 1
System total memory: 2011013120
System free memory: 756207616
SSLVPN memory margin: 201101312
SSLVPN state: normal
Max number of users: 2
Max number of tunnels: 2
Max number of connections: 21
The number of invalid_http: 797
Current number of users: 0
Current number of tunnels: 0
Current number of connections: 0
# exec vpn sslvpn list
SSL-VPN Login Users:
Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth
SSL-VPN sessions:
Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
# get system status
Version: FortiGate-60F v7.2.10,build1706,240918 (GA.M)
Security Level: 2
Firmware Signature: certified
Virus-DB: 92.09284(2024-12-04 04:26)
Extended DB: 92.09284(2024-12-04 04:25)
AV AI/ML Model: 3.02027(2024-12-04 03:45)
IPS-DB: 29.00914(2024-12-03 06:23)
IPS-ETDB: 0.00000(2001-01-01 00:00)
APP-DB: 29.00914(2024-12-03 06:23)
FMWP-DB: 24.00111(2024-11-06 13:21)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
IPS Malicious URL Database: 5.00251(2024-12-03 06:59)
IoT-Detect: 0.00000(2022-08-17 17:31)
Serial-Number: -
BIOS version: 05000009
System Part-Number: P24286-07
Log hard disk: Not available
Hostname: AIRPLUS
Private Encryption: Disable
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 1706
Release Version Information: GA
System time: Wed Dec 4 16:15:36 2024
Last reboot reason: warm reboot
# diag vpn ssl stat
SSLVPN statistics (root):
------------------
Memory unit: 1
System total memory: 2011013120
System free memory: 765112320
SSLVPN memory margin: 201101312
SSLVPN state: normal
Max number of users: 2
Max number of tunnels: 2
Max number of connections: 21
The number of invalid_http: 797
Current number of users: 0
Current number of tunnels: 0
Current number of connections: 0
# diag sys flash list
Partition Image TotalSize(KB) Used(KB) Use% Active
1 FGT60F-7.02-FW-build1706-240918 253920 140428 55% Yes
2 FGT60F-7.02-FW-build1396-230131 253920 150012 59% No
3 ETDB-92.09284 3102320 416784 13% No
Image build at Sep 18 2024 18:23:21 for b1706
# diag debug enable
AIRPLUS # 2024-12-04 16:19:37 local auth is done with user 'ylim', ret=1
2024-12-04 16:19:38 local auth is done with user 'paulcv', ret=1
2024-12-04 16:20:20 [2507] handle_req-Rcvd auth_cert req id=2006890860, len=1599, opt=8
2024-12-04 16:20:20 [983] __cert_auth_ctx_init-req_id=2006890860, opt=8
2024-12-04 16:20:20 [992] __cert_auth_ctx_init-OCSP resp is found.
2024-12-04 16:20:20 [103] __cert_chg_st- 'Init'
2024-12-04 16:20:20 [156] fnbamd_cert_load_certs_from_req-3 cert(s) in req.
2024-12-04 16:20:20 [669] __cert_init-req_id=2006890860
2024-12-04 16:20:20 [718] __cert_build_chain-req_id=2006890860
2024-12-04 16:20:20 [273] fnbamd_chain_build-Chain discovery, opt 0x19, cur total 1
2024-12-04 16:20:20 [291] fnbamd_chain_build-Following depth 0
2024-12-04 16:20:20 [336] fnbamd_chain_build-Extend chain by builtin CA cache. (good)
2024-12-04 16:20:20 [291] fnbamd_chain_build-Following depth 1
2024-12-04 16:20:20 [336] fnbamd_chain_build-Extend chain by builtin CA cache. (good)
2024-12-04 16:20:20 [291] fnbamd_chain_build-Following depth 2
2024-12-04 16:20:20 [305] fnbamd_chain_build-Self-sign detected.
2024-12-04 16:20:20 [99] __cert_chg_st- 'Init' -> 'Validation'
2024-12-04 16:20:20 [840] __cert_verify-req_id=2006890860
2024-12-04 16:20:20 [841] __cert_verify-Chain is complete.
2024-12-04 16:20:20 [435] fnbamd_builtin_cert_check-Following cert chain depth 0
2024-12-04 16:20:20 [435] fnbamd_builtin_cert_check-Following cert chain depth 1
2024-12-04 16:20:20 [456] fnbamd_builtin_cert_check-Builtin CRL found: 244b5494
2024-12-04 16:20:20 [435] fnbamd_builtin_cert_check-Following cert chain depth 2
2024-12-04 16:20:20 [471] fnbamd_builtin_cert_check-Certificate status is unchecked.
2024-12-04 16:20:20 [876] __cert_verify_do_next-req_id=2006890860
2024-12-04 16:20:20 [99] __cert_chg_st- 'Validation' -> 'OCSP-Checking'
2024-12-04 16:20:20 [898] __cert_ocsp_check-req_id=2006890860
2024-12-04 16:20:20 [334] fnbamd_verify_ocsp_response-Cert status: GOOD.
2024-12-04 16:20:20 [256] __cert_ocsp_resp_verify-verify_ocsp_response returns 0 -1
2024-12-04 16:20:20 [99] __cert_chg_st- 'OCSP-Checking' -> 'Done'
2024-12-04 16:20:20 [921] __cert_done-req_id=2006890860
2024-12-04 16:20:20 [1683] fnbamd_auth_session_done-Session done, id=2006890860
2024-12-04 16:20:20 [966] __fnbamd_cert_auth_run-Exit, req_id=2006890860
2024-12-04 16:20:20 [1720] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=2006890860
2024-12-04 16:20:20 [1639] auth_cert_success-id=2006890860
2024-12-04 16:20:20 [1068] fnbamd_cert_auth_copy_cert_status-req_id=2006890860
2024-12-04 16:20:20 [1195] fnbamd_cert_auth_copy_cert_status-Cert st 210, req_id=2006890860
2024-12-04 16:20:20 [209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 2006890860, len=2536
2024-12-04 16:20:20 [1584] destroy_auth_cert_session-id=2006890860
2024-12-04 16:20:20 [1041] fnbamd_cert_auth_uninit-req_id=2006890860
2024-12-04 16:20:43 local auth is done with user 'fgordon', ret=1
2024-12-04 16:20:46 local auth is done with user 'ndempsey', ret=1
# diag debug disable
# diag debug reset
Did you run the sslvpn debug while connecting the vpn
just share below output and run it while trying to connect the vpn
diag debug reset
diagnose debug console timestamp en
diagnose vpn ssl debug-filter src-addr4 x.x.x.x - Here x.x.x.x is the public IP of the user connecting.
diag debug appl sslvpn -1
diag debug enable
wait till the VPN disconnect, disable the logs by executing
diag debug disable
diag debug reset
That s the results after debug . VPN error showed up and I disabled the debug. If it s not I will do it again.
AIRPLUS # 2024-12-04 16:19:37 local auth is done with user 'ylim', ret=1
2024-12-04 16:19:38 local auth is done with user 'paulcv', ret=1
2024-12-04 16:20:20 [2507] handle_req-Rcvd auth_cert req id=2006890860, len=1599, opt=8
2024-12-04 16:20:20 [983] __cert_auth_ctx_init-req_id=2006890860, opt=8
2024-12-04 16:20:20 [992] __cert_auth_ctx_init-OCSP resp is found.
2024-12-04 16:20:20 [103] __cert_chg_st- 'Init'
2024-12-04 16:20:20 [156] fnbamd_cert_load_certs_from_req-3 cert(s) in req.
2024-12-04 16:20:20 [669] __cert_init-req_id=2006890860
2024-12-04 16:20:20 [718] __cert_build_chain-req_id=2006890860
2024-12-04 16:20:20 [273] fnbamd_chain_build-Chain discovery, opt 0x19, cur total 1
2024-12-04 16:20:20 [291] fnbamd_chain_build-Following depth 0
2024-12-04 16:20:20 [336] fnbamd_chain_build-Extend chain by builtin CA cache. (good)
2024-12-04 16:20:20 [291] fnbamd_chain_build-Following depth 1
2024-12-04 16:20:20 [336] fnbamd_chain_build-Extend chain by builtin CA cache. (good)
2024-12-04 16:20:20 [291] fnbamd_chain_build-Following depth 2
2024-12-04 16:20:20 [305] fnbamd_chain_build-Self-sign detected.
2024-12-04 16:20:20 [99] __cert_chg_st- 'Init' -> 'Validation'
2024-12-04 16:20:20 [840] __cert_verify-req_id=2006890860
2024-12-04 16:20:20 [841] __cert_verify-Chain is complete.
2024-12-04 16:20:20 [435] fnbamd_builtin_cert_check-Following cert chain depth 0
2024-12-04 16:20:20 [435] fnbamd_builtin_cert_check-Following cert chain depth 1
2024-12-04 16:20:20 [456] fnbamd_builtin_cert_check-Builtin CRL found: 244b5494
2024-12-04 16:20:20 [435] fnbamd_builtin_cert_check-Following cert chain depth 2
2024-12-04 16:20:20 [471] fnbamd_builtin_cert_check-Certificate status is unchecked.
2024-12-04 16:20:20 [876] __cert_verify_do_next-req_id=2006890860
2024-12-04 16:20:20 [99] __cert_chg_st- 'Validation' -> 'OCSP-Checking'
2024-12-04 16:20:20 [898] __cert_ocsp_check-req_id=2006890860
2024-12-04 16:20:20 [334] fnbamd_verify_ocsp_response-Cert status: GOOD.
2024-12-04 16:20:20 [256] __cert_ocsp_resp_verify-verify_ocsp_response returns 0 -1
2024-12-04 16:20:20 [99] __cert_chg_st- 'OCSP-Checking' -> 'Done'
2024-12-04 16:20:20 [921] __cert_done-req_id=2006890860
2024-12-04 16:20:20 [1683] fnbamd_auth_session_done-Session done, id=2006890860
2024-12-04 16:20:20 [966] __fnbamd_cert_auth_run-Exit, req_id=2006890860
2024-12-04 16:20:20 [1720] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=2006890860
2024-12-04 16:20:20 [1639] auth_cert_success-id=2006890860
2024-12-04 16:20:20 [1068] fnbamd_cert_auth_copy_cert_status-req_id=2006890860
2024-12-04 16:20:20 [1195] fnbamd_cert_auth_copy_cert_status-Cert st 210, req_id=2006890860
2024-12-04 16:20:20 [209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 2006890860, len=2536
2024-12-04 16:20:20 [1584] destroy_auth_cert_session-id=2006890860
2024-12-04 16:20:20 [1041] fnbamd_cert_auth_uninit-req_id=2006890860
2024-12-04 16:20:43 local auth is done with user 'fgordon', ret=1
2024-12-04 16:20:46 local auth is done with user 'ndempsey', ret=1
Can you please do it again.
just share below output and run it while trying to connect the vpn
diag debug reset
diagnose debug console timestamp en
diagnose vpn ssl debug-filter src-addr4 x.x.x.x - Here x.x.x.x is the public IP of the user connecting.
diag debug appl sslvpn -1
diag debug enable
wait till the VPN disconnect, disable the logs by executing
diag debug disable
diag debug reset
I did but nothing was seen by debugging.
run
diag sniff packet any 'host x.x.x.x' 4 0 l >> Here x.x.x.x is the public IP of the user
And then try to connect vpn
this will clear if the traffic is coming to the FGT or not
Nothing changed. too many bad attempts error again.
Hi @OkanGemici ,
What type of authentication method are you using? LDAP? Radius? Or something else?
Do you have this issue with SSL VPN login as well?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.