vpn authentication issues after upgrade to fortios 5.6

riaronson · ‎07-31-2017

After upgrading from 5.4.2 to 5.6 my users started reporting issues with authentication. Its happening with Forticlient on windows PCs and IOS. I had problems with my own connection over IPsec on an ipad. I too some traces on the ldap server, I see successful authentication. It must have something to do with groups, but I can't tell what

Fg1_200D-A # [2078] handle_req-Rcvd auth req 865933646 for daver in IPSEC_Bldg_VPN opt=00000500 prot=10 [352] __compose_group_list_from_req-Group 'IPSEC_Bldg_VPN' [691] fnbamd_pop3_start-daver [307] radius_start-Didn't find radius servers (0) [688] auth_tac_plus_start-Didn't find tac_plus servers (0) [1081] __fnbamd_cfg_get_ldap_list_by_group-Loading LDAP server 'Novell_eDirectory' for usergroup 'IPSEC_Bldg_VPN' (7) [811] resolve_ldap_FQDN-Resolved address 192.168.xxx.yyy, result 192.168.xxx.yyy [1192] fnbamd_ldap_init-search filter is: cn=daver

[1196] fnbamd_ldap_init-search base is: o=xzxzx

[488] create_auth_session-Total 1 server(s) to try [258] start_search_dn-base:'o=xzxzx' filter:cn=daver

[1587] fnbamd_ldap_get_result-Going to SEARCH state [2735] auth_ldap_result-Continue pending for req 865933646 [292] get_all_dn-Found DN 1:cn=DaveR,ou=LA,o=xzxzx

[306] get_all_dn-Found 1 DN's [340] start_next_dn_bind-Trying DN 1:cn=DaveR,ou=LA,o=xzxzx [1635] fnbamd_ldap_get_result-Going to USERBIND state [2735] auth_ldap_result-Continue pending for req 865933646 [556] start_user_attrs_lookup-Adding attr 'groupMembership' [577] start_user_attrs_lookup-base:'cn=DaveR,ou=LA,o=xzxzx' filter:cn=*

[1691] fnbamd_ldap_get_result-Entering CHKUSERATTRS state [2735] auth_ldap_result-Continue pending for req 865933646 [737] get_member_of_groups-Get the memberOf groups. [769] get_member_of_groups- attr='groupMembership', found 6 values [91] ldap_grp_list_add-added cn=Everyone,ou=LA,o=xzxzx [778] get_member_of_groups-val[0]='cn=Everyone,ou=LA,o=xzxzx' [91] ldap_grp_list_add-added cn=LA_Engnr,ou=LA,o=xzxzx [778] get_member_of_groups-val[1]='cn=LA_Engnr,ou=LA,o=xzxzx' [91] ldap_grp_list_add-added cn=LA_Office,ou=LA,o=xzxzx [778] get_member_of_groups-val[2]='cn=LA_Office,ou=LA,o=xzxzx' [91] ldap_grp_list_add-added cn=xzxzx,ou=LA,o=xzxzx [778] get_member_of_groups-val[3]='cn=xzxzx,ou=LA,o=xzxzx' [91] ldap_grp_list_add-added cn=zcmusers,ou=LA,o=xzxzx [778] get_member_of_groups-val[4]='cn=zcmusers,ou=LA,o=xzxzx' [91] ldap_grp_list_add-added cn=MobileUsers,ou=LA,o=xzxzx [778] get_member_of_groups-val[5]='cn=MobileUsers,ou=LA,o=xzxzx' [1722] fnbamd_ldap_get_result-Auth accepted [1858] fnbamd_ldap_get_result-Going to DONE state res=0 [141] __ldap_copy_grp_list-copied cn=Everyone,ou=LA,o=xzxzx [141] __ldap_copy_grp_list-copied cn=LA_Engnr,ou=LA,o=xzxzx [141] __ldap_copy_grp_list-copied cn=LA_Office,ou=LA,o=xzxzx [141] __ldap_copy_grp_list-copied cn=xzxzx,ou=LA,o=xzxzx [141] __ldap_copy_grp_list-copied cn=zcmusers,ou=LA,o=xzxzx [141] __ldap_copy_grp_list-copied cn=MobileUsers,ou=LA,o=xzxzx [2460] fnbamd_auth_poll_ldap-Result for ldap svr 192.168.xxx.yyy is SUCCESS [2480] fnbamd_auth_poll_ldap-Skipping group matching [886] find_matched_usr_grps-Skipped group matching [182] fnbamd_comm_send_result-Sending result 7 (error 0) for req 865933646 [2165] handle_req-Rcvd auth_token rsp for req 865933646 [2180] handle_req-Check token 350243 with user 'daver' [2226] handle_req-Token check failed, result -30113 [182] fnbamd_comm_send_result-Sending result 1 (error 0) for req 865933646 [182] fnbamd_comm_send_result-Sending result 1 (error 0) for req 865933646 [625] destroy_auth_session-delete session 865933646 [53] ldap_grp_list_del_all-Del cn=Everyone,ou=LA,o=xzxzx [53] ldap_grp_list_del_all-Del cn=LA_Engnr,ou=LA,o=xzxzx [53] ldap_grp_list_del_all-Del cn=LA_Office,ou=LA,o=xzxzx [53] ldap_grp_list_del_all-Del cn=xzxzx,ou=LA,o=xzxzx [53] ldap_grp_list_del_all-Del cn=zcmusers,ou=LA,o=xzxzx [53] ldap_grp_list_del_all-Del cn=MobileUsers,ou=LA,o=xzxzx [2078] handle_req-Rcvd auth req 865933647 for daver in IPSEC_Bldg_VPN opt=00000500 prot=10 [352] __compose_group_list_from_req-Group 'IPSEC_Bldg_VPN' [691] fnbamd_pop3_start-daver [307] radius_start-Didn't find radius servers (0) [688] auth_tac_plus_start-Didn't find tac_plus servers (0) [1081] __fnbamd_cfg_get_ldap_list_by_group-Loading LDAP server 'Novell_eDirectory' for usergroup 'IPSEC_Bldg_VPN' (7) [811] resolve_ldap_FQDN-Resolved address 192.168.xxx.yyy, result 192.168.xxx.2 [1192] fnbamd_ldap_init-search filter is: cn=daver

[1196] fnbamd_ldap_init-search base is: o=xzxzx

[488] create_auth_session-Total 1 server(s) to try [258] start_search_dn-base:'o=xzxzx' filter:cn=daver

[1587] fnbamd_ldap_get_result-Going to SEARCH state [2735] auth_ldap_result-Continue pending for req 865933647 [292] get_all_dn-Found DN 1:cn=DaveR,ou=LA,o=xzxzx

[306] get_all_dn-Found 1 DN's [340] start_next_dn_bind-Trying DN 1:cn=DaveR,ou=LA,o=xzxzx [1635] fnbamd_ldap_get_result-Going to USERBIND state [2735] auth_ldap_result-Continue pending for req 865933647 [556] start_user_attrs_lookup-Adding attr 'groupMembership' [577] start_user_attrs_lookup-base:'cn=DaveR,ou=LA,o=xzxzx' filter:cn=*

[1691] fnbamd_ldap_get_result-Entering CHKUSERATTRS state [2735] auth_ldap_result-Continue pending for req 865933647 [737] get_member_of_groups-Get the memberOf groups. [769] get_member_of_groups- attr='groupMembership', found 6 values [91] ldap_grp_list_add-added cn=Everyone,ou=LA,o=xzxzx [778] get_member_of_groups-val[0]='cn=Everyone,ou=LA,o=xzxzx' [91] ldap_grp_list_add-added cn=LA_Engnr,ou=LA,o=xzxzx [778] get_member_of_groups-val[1]='cn=LA_Engnr,ou=LA,o=xzxzx' [91] ldap_grp_list_add-added cn=LA_Office,ou=LA,o=xzxzx [778] get_member_of_groups-val[2]='cn=LA_Office,ou=LA,o=xzxzx' [91] ldap_grp_list_add-added cn=xzxzx,ou=LA,o=xzxzx [778] get_member_of_groups-val[3]='cn=xzxzx,ou=LA,o=xzxzx' [91] ldap_grp_list_add-added cn=zcmusers,ou=LA,o=xzxzx [778] get_member_of_groups-val[4]='cn=zcmusers,ou=LA,o=xzxzx' [91] ldap_grp_list_add-added cn=MobileUsers,ou=LA,o=xzxzx [778] get_member_of_groups-val[5]='cn=MobileUsers,ou=LA,o=xzxzx' [1722] fnbamd_ldap_get_result-Auth accepted [1858] fnbamd_ldap_get_result-Going to DONE state res=0 [141] __ldap_copy_grp_list-copied cn=Everyone,ou=LA,o=xzxzx [141] __ldap_copy_grp_list-copied cn=LA_Engnr,ou=LA,o=xzxzx [141] __ldap_copy_grp_list-copied cn=LA_Office,ou=LA,o=xzxzx [141] __ldap_copy_grp_list-copied cn=xzxzx,ou=LA,o=xzxzx [141] __ldap_copy_grp_list-copied cn=zcmusers,ou=LA,o=xzxzx [141] __ldap_copy_grp_list-copied cn=MobileUsers,ou=LA,o=xzxzx [2460] fnbamd_auth_poll_ldap-Result for ldap svr 192.168.245.18 is SUCCESS [2480] fnbamd_auth_poll_ldap-Skipping group matching [886] find_matched_usr_grps-Skipped group matching [182] fnbamd_comm_send_result-Sending result 7 (error 0) for req 865933647 [2165] handle_req-Rcvd auth_token rsp for req 865933647 [2180] handle_req-Check token 355028 with user 'daver' [2226] handle_req-Token check failed, result -30113 [182] fnbamd_comm_send_result-Sending result 1 (error 0) for req 865933647 [182] fnbamd_comm_send_result-Sending result 1 (error 0) for req 865933647 [625] destroy_auth_session-delete session 865933647 [53] ldap_grp_list_del_all-Del cn=Everyone,ou=LA,o=xzxzx [53] ldap_grp_list_del_all-Del cn=LA_Engnr,ou=LA,o=xzxzx [53] ldap_grp_list_del_all-Del cn=LA_Office,ou=LA,o=xzxzx [53] ldap_grp_list_del_all-Del cn=xzxzx,ou=LA,o=xzxzx [53] ldap_grp_list_del_all-Del cn=zcmusers,ou=LA,o=xzxzx [53] ldap_grp_list_del_all-Del cn=MobileUsers,ou=LA,o=xzxzx

I found a reference to auth-multi-group for 5.4 but it's gone in 5.6. ANyone have any ideas?

THanks

riaronson · ‎08-01-2017

I opened a ticket. Fortinet support told me about how users are located and groups are mapped to portals in the SSLVPN. My problem was my users appeared in multiple mapped groups, when my user tried to connect they were mapped to the wrong SSLVPN portal.

Palerm0 · ‎08-11-2017

Reconfigure the pre-shared key at you fortigate.

I belief there is a bug with the pre-shared key after upgrading to 5.6.0

Bug 435124 Cannot establish IPsec phase1 tunnel after upgrading from version 5.4.5 to 5.6.0. Workaround: After upgrading to 5.6.0, reconfigure all IPsec phase1 psksecret settings.