Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
emnoc
Esteemed Contributor III

v6.0 is here

I hope it 's  all good  ;)

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3 Solutions
romanr
Valued Contributor

Andy Bailey wrote:

I've getting a "Failed to save some changes: Input value is invalid" message (showing in the attachment) when I try and modify a policy (for example add an anti-spam to an existing policy).

Hey,

 

I don't have that problem - works fine for me since Beta 3.

 

Can you run the following on a Command Line, while you try to modify a policy:

 

diag deb reset

diag deb ena

diag deb cli 8

 

... and post the output

 

Br,

Roman

View solution in original post

Jordan_Thompson_FTNT

romanr wrote:

Andy Bailey wrote:

I've getting a "Failed to save some changes: Input value is invalid" message (showing in the attachment) when I try and modify a policy (for example add an anti-spam to an existing policy).

 

Can you run the following on a Command Line, while you try to modify a policy:

 

diag deb reset

diag deb ena

diag deb cli 8

 

... and post the output

 

In addition, please enable "diag debug app httpsd -1" and include that output.

View solution in original post

thuynh_FTNT

Andy Bailey wrote:

I've attached the output your requested Roman and Jordan. Thanks for your help.

 

Nothing really obvious for me. I tried opening the policy and then clicking ok (no changes) and again (no changes) same result both times. I tried Edge instread of Firefox too- no changes there either.

 

The key lines seem to be:-

 

[httpsd 9510 - 1522869450    error] cmdb_commit_from_json[1426] -- error saving request object to CLI (-651) [httpsd 9510 - 1522869450    error] _api_cmdb_v2_config[1137] -- error editing object (nret=-651) [httpsd 9510 - 1522869450    error] api_return_http_result[516] -- API error -651 raised

Interestingly I can delete policies- I just tried deleting a couple of unused policies and that worked fine (highlighted from the "IPv4 Policy" list and then just delete.

 

Any other ideas?

Hi Andy, we've tried with several FGTs and were unable to reproduce your issue. Looks like it's specific to your config after upgrade. From your CLI debug output, the CLI is rejecting the change (any policy edit save) from the GUI.

0: config firewall policy 0: edit 15 0: set ssl-ssh-profile "SSL Certs-Block Untrusted\\Invalid" -651: end

 

Here are a few other things to try:

1. Can you use the CLI to edit a policy? You can use the above commands to see further error reported by the CLI

2. Can you use the GUI to create new Policy? if not, please also include CLI and httpsd debug message

3. Does this happen to any policy edit via the GUI? 4. Can you check if your interfaces are correctly upgraded?

5. Which FGT model are you using? if possible, can you share your full config with us? you can email me the config at thuynh@fortinet.com

 

Tri

View solution in original post

60 REPLIES 60
ghorchem
New Contributor III

When I did the upgrade from 5.6.2 SSL VPN host check failed using the latest web browsers on Windows 7 SP1, Windows 10 ver. 1709 and macos. the log file is below:

 

Fortinetgateway # [191:root:2b]allocSSLConn:280 sconn 0x561cb400 (0:root) [190:root:2c]allocSSLConn:280 sconn 0x560e9400 (0:root) [191:root:2b][192:root:2b]SSL state:before SSL initialization (172.168.1.3) allocSSLConn:280 sconn 0x561cb400 (0:root) [191:root:2b]SSL state:before SSL initialization (172.168.1.3) [191:root:2b]SSL state:SSLv3/TLS read client hello (172.168.1.3) [192:root:2b][191:root:2b]SSL state:before SSL initialization (172.168.1.3) [192:root:2b]SSL state:before SSL initialization (172.168.1.3) SSL state:SSLv3/TLS write server hello (172.168.1.3) [192:root:2b]SSL state:SSLv3/TLS read client hello (172.168.1.3) [192:root:2b]SSL state:SSLv3/TLS write server hello (172.168.1.3) [190:root:2c]SSL state:before SSL initialization (172.168.1.3) [190:root:2c]SSL state:before SSL initialization (172.168.1.3) [190:root:2c]SSL state:SSLv3/TLS read client hello (172.168.1.3) [190:root:2c]SSL state:SSLv3/TLS write server hello (172.168.1.3) [192:root:2b]SSL state:SSLv3/TLS write certificate (172.168.1.3) [190:root:2c]SSL state:SSLv3/TLS write certificate (172.168.1.3) [191:root:2b]SSL state:SSLv3/TLS write certificate (172.168.1.3) [192:root:2b]SSL state:SSLv3/TLS write key exchange (172.168.1.3) [192:root:2b]SSL state:SSLv3/TLS write server done (172.168.1.3) [192:root:2b]SSL state:SSLv3/TLS write server done:system lib(172.168.1.3) [191:root:2b]SSL state:SSLv3/TLS write key exchange (172.168.1.3) [191:root:2b]SSL state:SSLv3/TLS write server done (172.168.1.3) [191:root:2b]SSL state:SSLv3/TLS write server done:system lib(172.168.1.3) [190:root:2c]SSL state:SSLv3/TLS write key exchange (172.168.1.3) [190:root:2c]SSL state:SSLv3/TLS write server done (172.168.1.3) [190:root:2c]SSL state:SSLv3/TLS write server done:system lib(172.168.1.3) [192:root:2b]SSL state:SSLv3/TLS write server done (172.168.1.3) [191:root:2b]SSL state:SSLv3/TLS write server done (172.168.1.3) [190:root:2c]SSL state:SSLv3/TLS write server done (172.168.1.3) [192:root:2b]SSL state:SSLv3/TLS read client key exchange (172.168.1.3) [192:root:2b]SSL state:SSLv3/TLS read change cipher spec (172.168.1.3) [192:root:2b]SSL state:SSLv3/TLS read finished (172.168.1.3) [191:root:2b]SSL state:SSLv3/TLS read client key exchange (172.168.1.3) [192:root:2b]SSL state:SSLv3/TLS write session ticket (172.168.1.3) [192:root:2b][191:root:2b]SSL state:SSLv3/TLS write change cipher spec (172.168.1.3) SSL state:SSLv3/TLS read change cipher spec (172.168.1.3) [191:root:2b][192:root:2b]SSL state:SSLv3/TLS read finished (172.168.1.3) SSL state:SSLv3/TLS write finished (172.168.1.3) [190:root:2c]SSL state:SSL negotiation finished successfully (172.168.1.3) SSL state:SSLv3/TLS read client key exchange (172.168.1.3) [192:root:2b]SSL established: TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 [191:root:2b]SSL state:SSLv3/TLS write session ticket (172.168.1.3) [190:root:2c][192:root:2b][191:root:2b]SSL state:SSLv3/TLS read change cipher spec (172.168.1.3) SSL state:SSLv3/TLS write change cipher spec (172.168.1.3) [190:root:2c]SSL state:SSLv3/TLS read finished (172.168.1.3) [191:root:2b]SSL state:SSLv3/TLS write finished (172.168.1.3) [190:root:2c]SSL state:SSLv3/TLS write session ticket (172.168.1.3) [190:root:2c]SSL state:SSL negotiation finished successfully (172.168.1.3) SSL state:SSLv3/TLS write change cipher spec (172.168.1.3) [191:root:2b]SSL established: TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 [190:root:2c]SSL state:SSLv3/TLS write finished (172.168.1.3) [190:root:2c]SSL state:SSL negotiation finished successfully (172.168.1.3) [190:root:2c]SSL established: TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 [192:root:2b]req: /remote/login?lang=en [192:root:2b]rmt_web_auth_info_parser_common:439 no session id in auth info [192:root:2b]rmt_web_get_access_cache:760 invalid cache, ret=4103 [192:root:2b]req: /css/main-blue.css [192:root:2b]mza: 0x134c7d8 /css/main-blue.css [191:root:2b]req: /sslvpn/js/login.js?q=717f435f6e4f169b34 req: /remote/fgt_lang?lang=en [191:root:2b]mza: 0x134c7b0 /sslvpn/js/login.js [192:root:2b]req: /fonts/lato-regular.woff [192:root:2b]def: 0x134c748 /fonts/lato-regular.woff [191:root:2b]req: /fonts/lato-bold.woff [191:root:2b]def: 0x134c748 /fonts/lato-bold.woff [192:root:2b]req: /fonts/ftnt-icons.woff [192:root:2b]def: 0x134c748 /fonts/ftnt-icons.woff [191:root:2c]allocSSLConn:280 sconn 0x561cbd00 (0:root) [191:root:2c]SSL state:before SSL initialization (172.168.1.3) [191:root:2c]SSL state:before SSL initialization (172.168.1.3) [191:root:2c]SSL state:SSLv3/TLS read client hello (172.168.1.3) [191:root:2c]SSL state:SSLv3/TLS write server hello (172.168.1.3) [191:root:2c]SSL state:SSLv3/TLS write change cipher spec (172.168.1.3) [191:root:2c]SSL state:SSLv3/TLS write finished (172.168.1.3) [191:root:2c]SSL state:SSLv3/TLS write finished:system lib(172.168.1.3) [191:root:2c]SSL state:SSLv3/TLS write finished (172.168.1.3) [191:root:2c]SSL state:SSLv3/TLS read change cipher spec (172.168.1.3) [191:root:2c]SSL state:SSLv3/TLS read finished (172.168.1.3) [191:root:2c]SSL state:SSL negotiation finished successfully (172.168.1.3) [191:root:2c]SSL established: TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 [190:root:2c]req: /remote/logincheck [190:root:2c]rmt_web_auth_info_parser_common:439 no session id in auth info [190:root:2c]rmt_web_access_check:686 access failed, uri=[/remote/logincheck],ret=4103, [190:root:2c]rmt_logincheck_cb_handler:900 user 'horchemg' has a matched local entry. [190:root:2c]sslvpn_auth_check_usrgroup:1770 forming user/group list from policy. [190:root:2c]sslvpn_auth_check_usrgroup:1812 got user (0) group (2:0). [190:root:2c]sslvpn_validate_user_group_list:1440 validating with SSL VPN authentication rules (1), realm (). [190:root:2c]sslvpn_validate_user_group_list:1488 checking rule 1 cipher. [190:root:2c]sslvpn_validate_user_group_list:1496 checking rule 1 realm. [190:root:2c]sslvpn_validate_user_group_list:1507 checking rule 1 source intf. [190:root:2c]sslvpn_validate_user_group_list:1546 checking rule 1 vd source intf. [190:root:2c]sslvpn_validate_user_group_list:1618 rule 1 done, got user (0) group (1:0). [190:root:2c]sslvpn_validate_user_group_list:1706 got user (0), group (2:0). [190:root:2c]two factor check for horchemg: off [190:root:2c]sslvpn_authenticate_user:167 authenticate user: [horchemg] [190:root:2c]sslvpn_authenticate_user:174 create fam state [190:root:2c]fam_auth_send_req:577 with server blacklist: [190:root:2c]fam_auth_send_req_internal:449 fnbam_auth return: 4 [190:root:2c]Auth successful for group Users_W_and_I [190:root:2c]fam_do_cb:479 fnbamd return auth success. [190:root:2c]SSL VPN login matched rule (0). [190:root:2c]rmt_web_session_create:764 create web session, idx[0] [192:root:2b]Timeout for connection 0x561cb400. [192:root:2b]Destroy sconn 0x561cb400, connSize=0. (root) [191:root:2b]Timeout for connection 0x561cb400. [191:root:2b]Destroy sconn 0x561cb400, connSize=1. (root) [191:root:2c]Timeout for connection 0x561cbd00. [191:root:2c]Destroy sconn 0x561cbd00, connSize=0. (root) [190:root:2c]req: /remote/hostcheck_install?auth_type=16&u [190:root:2c]rmt_hcinstall_cb_handler:450 remote check failed [190:root:0]sslvpn_internal_remove_one_web_session:2681 web session (root:horchemg:Users_W_and_I:172.168.1.3:0 0) removed for Server terminated session normally [190:root:2c]req: /sslvpn/css/ssl_style.css [190:root:2c]mza: 0x134c7e0 /sslvpn/css/ssl_style.css [192:root:2c]allocSSLConn:280 sconn 0x561cb400 (0:root) [192:root:2c]SSL state:before SSL initialization (172.168.1.3) [192:root:2c]SSL state:before SSL initialization (172.168.1.3) [192:root:2c][190:root:2c]SSL state:SSLv3/TLS read client hello (172.168.1.3) req: /remote/fgt_lang?lang=en [192:root:2c]SSL state:SSLv3/TLS write server hello (172.168.1.3) [192:root:2c]SSL state:SSLv3/TLS write certificate (172.168.1.3) [192:root:2c]SSL state:SSLv3/TLS write key exchange (172.168.1.3) [192:root:2c]SSL state:SSLv3/TLS write server done (172.168.1.3) [192:root:2c]SSL state:SSLv3/TLS write server done:system lib(172.168.1.3) [192:root:2c]SSL state:SSLv3/TLS write server done (172.168.1.3) [192:root:2c]SSL state:SSLv3/TLS read client key exchange (172.168.1.3) [192:root:2c]SSL state:SSLv3/TLS read change cipher spec (172.168.1.3) [192:root:2c]SSL state:SSLv3/TLS read finished (172.168.1.3) [192:root:2c]SSL state:SSLv3/TLS write session ticket (172.168.1.3) [192:root:2c]SSL state:SSLv3/TLS write change cipher spec (172.168.1.3) [192:root:2c]SSL state:SSLv3/TLS write finished (172.168.1.3) [192:root:2c]SSL state:SSL negotiation finished successfully (172.168.1.3) [192:root:2c]SSL established: TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 [190:root:2c]rmt_check_conn_session:1975 delete connection 0x560e9400 w/ web session 0 [190:root:2c]Destroy sconn 0x560e9400, connSize=0. (root) [192:root:2c]epollFdHandler,569, sconn=0x561cb400[12,-1,-1,-1,-1], fd=12, event=25. [192:root:2c]epollFdHandler:639 s: 0x561cb400 event: 0x19 [192:root:2c]Destroy sconn 0x561cb400, connSize=0. (root)

btp
Contributor

Just upgraded - and notice that a subinterface (VLAN) that I created under wan1 in GUI, and then popped over to another VDOM, lost the reference to the main interface (wan1). I had to enter it manually afterwards.

 

config system interface
edit "TUBA"
set vdom "GET"
set vlanid 10
next
end

-- Bjørn Tore

-- Bjørn Tore
emnoc
Esteemed Contributor III

[191:root:2c]Destroy sconn 0x561cbd00, connSize=0. (root) [190:root:2c]req: /remote/hostcheck_install?auth_type=16&u [190:root:2c]rmt_hcinstall_cb_handler:450 remote check failed

 

So did you find a reason why? I just found out my sslvpn authentication rule didn't cary over when I push my FWF50E from v5.6.3 to v6.0.0.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
rkhair
New Contributor

anyone notice that there 'web rating overrides' don't work? non of mine have worked since the upgrade to v6 tried to recreate them etc, but they seem to be just ignored.

andrewbailey

Hello everyone,

 

The 6.0 update looks good- seems a bit faster on my Fortigate 60E (direct upgrade from 5.6.3).

 

But has anyone had any issues with modifying policies?

 

I've getting a "Failed to save some changes: Input value is invalid" message (showing in the attachment) when I try and modify a policy (for example add an anti-spam to an existing policy).

 

Has anyone else seen this? There are no "red" indications around any fields in the policy or hints that I can see and it seems to happen on every policy I have tried to modify. I know there is a new UUID for policies- perhaps somehow related to that?

 

Any ideas anyone?

 

Kind Regards,

 

 

Andy.

romanr
Valued Contributor

Andy Bailey wrote:

I've getting a "Failed to save some changes: Input value is invalid" message (showing in the attachment) when I try and modify a policy (for example add an anti-spam to an existing policy).

Hey,

 

I don't have that problem - works fine for me since Beta 3.

 

Can you run the following on a Command Line, while you try to modify a policy:

 

diag deb reset

diag deb ena

diag deb cli 8

 

... and post the output

 

Br,

Roman

Jordan_Thompson_FTNT

romanr wrote:

Andy Bailey wrote:

I've getting a "Failed to save some changes: Input value is invalid" message (showing in the attachment) when I try and modify a policy (for example add an anti-spam to an existing policy).

 

Can you run the following on a Command Line, while you try to modify a policy:

 

diag deb reset

diag deb ena

diag deb cli 8

 

... and post the output

 

In addition, please enable "diag debug app httpsd -1" and include that output.

ghorchem

you still cant use ecc ssl certfifcates to secure the admin web login page.

andrewbailey

I've attached the output your requested Roman and Jordan. Thanks for your help.

 

Nothing really obvious for me. I tried opening the policy and then clicking ok (no changes) and again (no changes) same result both times. I tried Edge instread of Firefox too- no changes there either.

 

The key lines seem to be:-

 

[httpsd 9510 - 1522869450    error] cmdb_commit_from_json[1426] -- error saving request object to CLI (-651) [httpsd 9510 - 1522869450    error] _api_cmdb_v2_config[1137] -- error editing object (nret=-651) [httpsd 9510 - 1522869450    error] api_return_http_result[516] -- API error -651 raised

Interestingly I can delete policies- I just tried deleting a couple of unused policies and that worked fine (highlighted from the "IPv4 Policy" list and then just delete.

 

Any other ideas?

 

 

 

Jordan_Thompson_FTNT

Andy Bailey wrote:

I've attached the output your requested Roman and Jordan. Thanks for your help.

 

Any other ideas?

 

Thanks. This is helpful. We'l troubleshoot on our end.

Labels
Top Kudoed Authors