Issue with FortiClientVPN and DUO MFA - Connection is established without MFA request being accepted

ITDavid · ‎02-28-2024

Hello,

We have a Fortinet Fortigate 60F that we use to connect to our office with a VPN. And for a layer of security, we also have Duo MFA setup to send push notifications. Previously, in the Forticlient app, when it got to around 45% in the connection process, it would send an MFA push notification and if you did nothing with DUO. It would just sit there and eventually error out. Now I am seeing that the process gets to about 95% then if you don't touch the notification it just connects you anyway. In fact, no mater what you do (Accept, Ignore, Deny) it connects to the VPN if the AD credentials are still valid.

In the RADIUS Servers tab, I used the “Test User Credentials” option and it works as expected. When you accept the DUO Push it goes through. If you ignore it errors on both tests and then if you deny it, I get a successful connection Status, but the user credentials show as “Invalid credentials”.

What could be the issue?

smaruvala · ‎02-28-2024

Hi,

- Is it possible to provide the debug for the sslvpn and fnbamd process when you are facing the issue?

- Does the issue comes if you login successfully first with pushing the MFA and then disconnect the VPN and connect back? Or does the issue happens in the first connection itself?

- What is the FortiClient and Fortigate versions?

Regards,

Shiva

ITDavid · ‎02-29-2024

- Is it possible to provide the debug for the sslvpn and fnbamd process when you are facing the issue?

It won't let me add a txt file from the test but I have copiped and pasted below.

- Does the issue comes if you login successfully first with pushing the MFA and then disconnect the VPN and connect back? Or does the issue happens in the first connection itself?

It will happen on any time.

- What is the FortiClient and Fortigate versions?
FortiCleint I have used a few versions 7.2.3.0929 and 6.2.0.0780
Fortigate 60F is on v7.2.7 build1577 (Mature)

[RouterName]-FW01 # diagnose debug application sslvpn -1

Debug messages will be on for 30 minutes.

[RouterName]-FW01 # diagnose debug enable

[RouterName]-FW01 # [255:root:6d9d]allocSSLConn:310 sconn 0x7f83e46000 (0:root)

[255:root:6d9d]SSL state:before SSL initialization (184.91.83.97)

[255:root:6d9d]SSL state:fatal decode error (184.91.83.97)

[255:root:6d9d]SSL state:error:(null)(184.91.83.97)

[255:root:6d9d]SSL_accept failed, 1:unexpected eof while reading

[255:root:6d9d]Destroy sconn 0x7f83e46000, connSize=0. (root)

[256:root:6d9d]allocSSLConn:310 sconn 0x7f84a54800 (0:root)

[256:root:6d9d]SSL state:before SSL initialization (184.91.83.97)

[256:root:6d9d]no SNI received

[256:root:6d9d]client cert requirement: no

[256:root:6d9d]SSL state:SSLv3/TLS read client hello (184.91.83.97)

[256:root:6d9d]SSL state:SSLv3/TLS write server hello (184.91.83.97)

[256:root:6d9d]SSL state:SSLv3/TLS write certificate (184.91.83.97)

[256:root:6d9d]SSL state:SSLv3/TLS write key exchange (184.91.83.97)

[256:root:6d9d]SSL state:SSLv3/TLS write server done (184.91.83.97)

[256:root:6d9d]SSL state:SSLv3/TLS write server done:(null)(184.91.83.97)

[256:root:6d9d]SSL state:SSLv3/TLS write server done (184.91.83.97)

[256:root:6d9d]SSL state:SSLv3/TLS read client key exchange (184.91.83.97)

[256:root:6d9d]SSL state:SSLv3/TLS read change cipher spec (184.91.83.97)

[256:root:6d9d]SSL state:SSLv3/TLS read finished (184.91.83.97)

[256:root:6d9d]SSL state:SSLv3/TLS write session ticket (184.91.83.97)

[256:root:6d9d]SSL state:SSLv3/TLS write change cipher spec (184.91.83.97)

[256:root:6d9d]SSL state:SSLv3/TLS write finished (184.91.83.97)

[256:root:6d9d]SSL state:SSL negotiation finished successfully (184.91.83.97)

[256:root:6d9d]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384

[256:root:6d9d]req: /remote/info

[256:root:6d9d]capability flags: 0x1cdf

[256:root:6d9d]req: /remote/login

[256:root:6d9d]rmt_web_auth_info_parser_common:505 no session id in auth info

[256:root:6d9d]rmt_web_get_access_cache:854 invalid cache, ret=4103

[256:root:6d9d]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])

[256:root:6d9d]get_cust_page:123 saml_info 0

[256:root:6d9d]req: /remote/logincheck

[256:root:6d9d]Transfer-Encoding n/a

[256:root:6d9d]Content-Length 205

[256:root:6d9d]readPostEnter:17 Post Data length 205.

[256:root:6d9d]rmt_web_auth_info_parser_common:505 no session id in auth info

[256:root:6d9d]rmt_web_access_check:773 access failed, uri=[/remote/logincheck],ret=4103,

[256:root:6d9d]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])

[256:root:6d9d]sslvpn_auth_check_usrgroup:2997 forming user/group list from policy.

[256:root:6d9d]sslvpn_auth_check_usrgroup:3043 got user (0) group (2:0).

[256:root:6d9d]sslvpn_validate_user_group_list:1905 validating with SSL VPN authentication rules (1), realm ().

[256:root:6d9d]sslvpn_validate_user_group_list:1991 checking rule 1 cipher.

[256:root:6d9d]sslvpn_validate_user_group_list:1999 checking rule 1 realm.

[256:root:6d9d]sslvpn_validate_user_group_list:2010 checking rule 1 source intf.

[256:root:6d9d]sslvpn_validate_user_group_list:2049 checking rule 1 vd source intf.

[256:root:6d9d]sslvpn_validate_user_group_list:2540 rule 1 done, got user (0:0) group (2:0) peer group (0).

[256:root:6d9d]sslvpn_validate_user_group_list:2548 got user (0:0) group (2:0) peer group (0).

[256:root:6d9d]sslvpn_validate_user_group_list:2895 got user (0:0), group (2:0) peer group (0).

[256:root:6d9d]sslvpn_update_user_group_list:1804 got user (0:0), group (2:0), peer group (0) after update.

[256:root:6d9d]two factor check for ABC: off

[256:root:6d9d]sslvpn_authenticate_user:192 authenticate user: [ABC]

[256:root:6d9d]sslvpn_authenticate_user:206 create fam state

[256:root:6d9d][fam_auth_send_req_internal:425] Groups sent to FNBAM:

[256:root:6d9d]group_desc[0].grpname = ABC-VPN-2FA

[256:root:6d9d]group_desc[1].grpname = ABC-VPN_Users

[256:root:6d9d][fam_auth_send_req_internal:437] FNBAM opt = 0X200421

[256:root:6d9d]fam_auth_send_req_internal:513 fnbam_auth return: 4

[256:root:6d9d]fam_auth_send_req:1006 task finished with 4

[256:root:6d9d]fam_auth_proc_resp:1358 fnbam_auth_update_result return: 0 (success)

[256:root:6d9d][fam_auth_proc_resp:1457] Authenticated groups (1) by FNBAM with auth_type (16):

[256:root:6d9d]Received: auth_rsp_data.grp_list[0] = 2

[256:root:6d9d]fam_auth_proc_resp:1482 found node ABC-VPN_Users:0:, valid:1, auth:0

[256:root:6d9d]Validated: auth_rsp_data.grp_list[0] = ABC-VPN_Users

[256:root:6d9d]Auth successful for user ABC in group ABC-VPN_Users

[256:root:6d9d]fam_do_cb:679 fnbamd return auth success.

[256:root:6d9d]SSL VPN login matched rule (1).

[256:root:6d9d]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])

[256:root:0]get tunnel link address4

[256:root:6d9d]rmt_web_session_create:1029 create web session, idx[0]

[256:root:6d9d]login_succeeded:550 redirect to hostcheck

[256:root:6d9d]Transfer-Encoding n/a

[256:root:6d9d]Content-Length 205

[256:root:6d9d]rmt_hcinstall_cb_handler:210 enter

[256:root:6d9d]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])

[256:root:6d9d]rmt_hcinstall_cb_handler:288 hostchk needed : 0.

[256:root:6d9d]deconstruct_session_id:505 decode session id ok, user=[ABC], group=[ABC-VPN_Users],authserver=[ABC_Users],portal=

[tunnel-access],host[184.91.83.97],realm=[],csrf_token=[F813E560FDD2E850642836022254236],idx=0,auth=16,sid=7ad583f7,login=1709218439

,access=1709218439,saml_logout_url=no,pip=no,grp_info=[Ndw4pz],rmt_grp_info=[LPsrXA]

[256:root:6d9d]deconstruct_session_id:505 decode session id ok, user=[ABC], group=[ABC-VPN_Users],authserver=[ABC_Users],portal=

[tunnel-access],host[184.91.83.97],realm=[],csrf_token=[F813E560FDD2E850642836022254236],idx=0,auth=16,sid=7ad583f7,login=1709218439

,access=1709218439,saml_logout_url=no,pip=no,grp_info=[Ndw4pz],rmt_grp_info=[LPsrXA]

[256:root:6d9d]deconstruct_session_id:505 decode session id ok, user=[ABC], group=[ABC-VPN_Users],authserver=[ABC_Users],portal=

[tunnel-access],host[184.91.83.97],realm=[],csrf_token=[F813E560FDD2E850642836022254236],idx=0,auth=16,sid=7ad583f7,login=1709218439

,access=1709218439,saml_logout_url=no,pip=no,grp_info=[Ndw4pz],rmt_grp_info=[LPsrXA]

[256:root:6d9d]Transfer-Encoding n/a

[256:root:6d9d]Content-Length 205

[256:root:6d9d]req: /remote/fortisslvpn

[256:root:6d9d]deconstruct_session_id:505 decode session id ok, user=[ADUsername], group=[ABC-VPN_Users],authserver=[ABC_Users],portal=

[tunnel-access],host[184.91.83.97],realm=[],csrf_token=[F813E560FDD2E850642836022254236],idx=0,auth=16,sid=7ad583f7,login=1709218439

,access=1709218439,saml_logout_url=no,pip=no,grp_info=[Ndw4pz],rmt_grp_info=[LPsrXA]

[256:root:6d9d]deconstruct_session_id:505 decode session id ok, user=[ADUsername], group=[ABC-VPN_Users],authserver=[ABC_Users],portal=

[tunnel-access],host[184.91.83.97],realm=[],csrf_token=[F813E560FDD2E850642836022254236],idx=0,auth=16,sid=7ad583f7,login=1709218439

,access=1709218439,saml_logout_url=no,pip=no,grp_info=[Ndw4pz],rmt_grp_info=[LPsrXA]

[256:root:6d9d]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])

[256:root:6d9d]req: /remote/fortisslvpn_xml

[256:root:6d9d]deconstruct_session_id:505 decode session id ok, user=[ABC], group=[ABC-VPN_Users],authserver=[ABC_Users],portal=

[tunnel-access],host[184.91.83.97],realm=[],csrf_token=[F813E560FDD2E850642836022254236],idx=0,auth=16,sid=7ad583f7,login=1709218439

,access=1709218439,saml_logout_url=no,pip=no,grp_info=[Ndw4pz],rmt_grp_info=[LPsrXA]

[256:root:6d9d]deconstruct_session_id:505 decode session id ok, user=[ABC], group=[ABC-VPN_Users],authserver=[ABC_Users],portal=

[tunnel-access],host[184.91.83.97],realm=[],csrf_token=[F813E560FDD2E850642836022254236],idx=0,auth=16,sid=7ad583f7,login=1709218439

,access=1709218439,saml_logout_url=no,pip=no,grp_info=[Ndw4pz],rmt_grp_info=[LPsrXA]

[256:root:6d9d]sslvpn_reserve_dynip:1542 tunnel vd[root] ip[10.212.134.200] app session idx[0]

[256:root:6d9d]form_ipv4_pol_split_tunnel_addr:113 Matched policy (id = 2) to add ipv4 split tunnel routing address

[257:root:6d9b]allocSSLConn:310 sconn 0x7f84a54800 (0:root)

[257:root:6d9b]SSL state:before SSL initialization (184.91.83.97)

[257:root:6d9b]no SNI received

[257:root:6d9b]client cert requirement: no

[257:root:6d9b]SSL state:SSLv3/TLS read client hello (184.91.83.97)

[257:root:6d9b]SSL state:SSLv3/TLS write server hello (184.91.83.97)

[257:root:6d9b]SSL state:SSLv3/TLS write change cipher spec (184.91.83.97)

[257:root:6d9b]SSL state:TLSv1.3 early data (184.91.83.97)

[257:root:6d9b]SSL state:TLSv1.3 early data:(null)(184.91.83.97)

[257:root:6d9b]SSL state:TLSv1.3 early data (184.91.83.97)

[257:root:6d9b]no SNI received

[257:root:6d9b]client cert requirement: no

[257:root:6d9b]SSL state:SSLv3/TLS read client hello (184.91.83.97)

[257:root:6d9b]SSL state:SSLv3/TLS write server hello (184.91.83.97)

[257:root:6d9b]SSL state:TLSv1.3 write encrypted extensions (184.91.83.97)

[257:root:6d9b]SSL state:SSLv3/TLS write certificate (184.91.83.97)

[257:root:6d9b]SSL state:TLSv1.3 write server certificate verify (184.91.83.97)

[257:root:6d9b]SSL state:SSLv3/TLS write finished (184.91.83.97)

[257:root:6d9b]SSL state:TLSv1.3 early data (184.91.83.97)

[257:root:6d9b]SSL state:TLSv1.3 early data:(null)(184.91.83.97)

[257:root:6d9b]SSL state:TLSv1.3 early data (184.91.83.97)

[257:root:6d9b]SSL state:SSLv3/TLS read finished (184.91.83.97)

[257:root:6d9b]SSL state:SSLv3/TLS write session ticket (184.91.83.97)

[257:root:6d9b]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384

[257:root:6d9b]req: /remote/sslvpn-tunnel2?dns0=4.2.2.2&dns1

[257:root:6d9b]sslvpn_tunnel2_handler,60, Calling rmt_conn_access_ex.

[257:root:6d9b]deconstruct_session_id:505 decode session id ok, user=[ABC], group=[ABC-VPN_Users],authserver=[ABC_Users],portal=

[tunnel-access],host[184.91.83.97],realm=[],csrf_token=[F813E560FDD2E850642836022254236],idx=0,auth=16,sid=7ad583f7,login=1709218439

,access=1709218439,saml_logout_url=no,pip=no,grp_info=[Ndw4pz],rmt_grp_info=[LPsrXA]

[257:root:6d9b]normal tunnel2 request received.

[257:root:6d9b]sslvpn_tunnel2_handler,169, fct_uuid = AAB88E1696BF4792AD9A763E5CCCD6C4

[257:root:6d9b]sslvpn_tunnel2_handler,177, Calling tunnel2 with hostname the-river.

[257:root:6d9b]tunnel2_enter:1557 0x7f84a54800:0x7f83e3f000 sslvpn user[ABC],type 16,logintime 0 vd 0 vrf 0

[257:root:6d9b]tun dev (ssl.root) opened (22)

[257:root:6d9b]fsv_associate_fd_to_ipaddr:2324 associate 10.212.134.200 to tun (ssl.root:22)

[257:root:6d9b]proxy arp: scanning 10 interfaces for IP 10.212.134.200

[257:root:6d9b]no ethernet address for proxy ARP

[257:root:6d9b]sslvpn_user_match:1170 add user ABC in group ABC-VPN_Users

[257:root:6d9b]Will add auth policy for policy 2

[257:root:6d9b]Add auth logon for user ABC:ABC-VPN_Users, matched group number 1

[256:root:6d9d]SSL state:fatal decode error (184.91.83.97)

[256:root:0]ap_read,105, error=1, errno=0 ssl 0x7f83e41000 Success. error:0A000126:SSL routines::unexpected eof while reading

[256:root:6d9d]sslvpn_read_request_common,684, ret=-1 error=-1, sconn=0x7f84a54800.

[256:root:6d9d]Destroy sconn 0x7f84a54800, connSize=0. (root)

[257:root:6d9b]SSL state:fatal decode error (184.91.83.97)

[257:root:0]ap_read,105, error=1, errno=0 ssl 0x7f83e3f000 Success. error:0A000126:SSL routines::unexpected eof while reading

[257:root:6d9b]normal_cliRead,1710, read=0, tunnel finish.

[257:root:6d9b]fsv_tunnel2_state_cleanup:2003 0x7f84a54800::0x7f83e3f000

[257:root:6d9b]fsv_disassociate_fd_to_ipaddr:2358 deassociate 10.212.134.200 from tun (ssl.root:22)

[257:root:6d9b]session removed s: 0x7f84a54800 (root)

[257:root:6d9b]deconstruct_session_id:505 decode session id ok, user=[ABC], group=[ABC-VPN_Users],authserver=[ABC_Users],portal=

[tunnel-access],host[184.91.83.97],realm=[],csrf_token=[F813E560FDD2E850642836022254236],idx=0,auth=16,sid=7ad583f7,login=1709218439

,access=1709218439,saml_logout_url=no,pip=no,grp_info=[Ndw4pz],rmt_grp_info=[LPsrXA]

[257:root:0]sslvpn_internal_remove_one_web_session:3381 web session (root:ABC:ABC-VPN_Users:184.91.83.97:0 1) removed for User r

equested termination of service

[257:root:0]sslvpn_internal_remove_apsession_by_idx:2829 free app session, idx[0]

[257:root:6d9b]release dyip

[257:root:6d9b]sslConnGotoNextState:313 error (last state: 1, closeOp: 0)

[257:root:6d9b]Destroy sconn 0x7f84a54800, connSize=0. (root)

Pittstate · ‎02-29-2024

I replied to someone else's post, and I didn't really elaborate.

It looks like the account being used is matching the non-2FA criteria:

[256:root:6d9d]Auth successful for user ABC in group ABC-VPN_Users

...

[257:root:6d9b]sslvpn_user_match:1170 add user ABC in group ABC-VPN_Users

[257:root:6d9b]Add auth logon for user ABC:ABC-VPN_Users, matched group number 1

The FG is examining both groups you have setup:

[256:root:6d9d]group_desc[0].grpname = ABC-VPN-2FA

[256:root:6d9d]group_desc[1].grpname = ABC-VPN_Users

It is going to try to see which policy it needs to assign to the user based on what criteria matches. It seems like the ABC account is matching the criteria for the ABC-VPN_Users group rather than the ABC-VPN-2FA group. An account can match more than one of these groups. So if you have a failure for ABC-VPN-2FA, it doesn't mean authentication stops, it means that it will keep on checking for access with other groups. In this case it seems you're falling through to the second group.

ITDavid · ‎03-05-2024

Thanks for the reply. I finally got around to looking into things, and it should be the VPN_2FA group. But after that, the issue where it is not waiting for the Duo MFA remains after I moved my account to that group only.

Pittstate · ‎03-06-2024

Edited: Deleted my question.

I reread your message, so it sounds like you're not even getting the DUO Push at this point. What happens when you do a "Test Connectivity" and "Test User Credentials" in your RADIUS server setup? And what does the debug look like?

ITDavid · ‎03-07-2024

I am getting the Duo Push but pretty much by the time it is on my phone, the Forticlient VPN is connected and no matter what I do with the Push, the VPN stays connected. I'm sure that before it would wait your response on the app.

I ran some debug tracked tests. One where I used the “test connectivity” test and then the “test user credentials” test. This time It works as expected, and it waits for the accept approval from the app. That is test #1 below.

For Test #2 I did the “test user Credentials” test and ignored the prompt. Interestingly on this test, as opposed to how it works 2 with the app, If I ignore it, It will say that it couldn't connect to the RADIUS server. It takes 60 seconds for this to occur.

Test #1

ABC-FW01 # diagnose debug application sslvpn -1

Debug messages will be on for 30 minutes.

ABC-FW01 # diagnose debug enable

ABC-FW01 #

ABC-FW01 # [259:root:95b8]allocSSLConn:310 sconn 0x7f83e61000 (0:root)

[259:root:95b8]SSL state:before SSL initialization (45.140.17.63)

[259:root:95b8]no SNI received

[259:root:95b8]client cert requirement: no

[259:root:95b8]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[259:root:95b8]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[259:root:95b8]SSL state:SSLv3/TLS write change cipher spec (45.140.17.63)

[259:root:95b8]SSL state:TLSv1.3 early data (45.140.17.63)

[259:root:95b8]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[259:root:95b8]SSL state:TLSv1.3 early data (45.140.17.63)

[259:root:95b8]no SNI received

[259:root:95b8]client cert requirement: no

[259:root:95b8]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[259:root:95b8]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[259:root:95b8]SSL state:TLSv1.3 write encrypted extensions (45.140.17.63)

[259:root:95b8]SSL state:SSLv3/TLS write certificate (45.140.17.63)

[259:root:95b8]SSL state:TLSv1.3 write server certificate verify (45.140.17.63)

[259:root:95b8]SSL state:SSLv3/TLS write finished (45.140.17.63)

[259:root:95b8]SSL state:TLSv1.3 early data (45.140.17.63)

[259:root:95b8]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[259:root:95b8]SSL state:TLSv1.3 early data (45.140.17.63)

[259:root:95b8]SSL state:SSLv3/TLS read finished (45.140.17.63)

[259:root:95b8]SSL state:SSLv3/TLS write session ticket (45.140.17.63)

[259:root:95b8]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384

[259:root:95b8]req: /remote/login

[259:root:95b8]rmt_web_auth_info_parser_common:505 no session id in auth info

[259:root:95b8]rmt_web_get_access_cache:854 invalid cache, ret=4103

[259:root:95b8]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/

537.36 Edg/115.0.1901.203

[259:root:95b8]sslConnGotoNextState:313 error (last state: 1, closeOp: 0)

[259:root:95b8]Destroy sconn 0x7f83e61000, connSize=0. (root)

[259:root:95b8]SSL state:warning close notify (45.140.17.63)

[260:root:95b7]allocSSLConn:310 sconn 0x7f83e54000 (0:root)

[260:root:95b7]SSL state:before SSL initialization (45.140.17.63)

[260:root:95b7]no SNI received

[260:root:95b7]client cert requirement: no

[260:root:95b7]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[260:root:95b7]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[260:root:95b7]SSL state:SSLv3/TLS write change cipher spec (45.140.17.63)

[260:root:95b7]SSL state:TLSv1.3 early data (45.140.17.63)

[260:root:95b7]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[261:root:95b9]allocSSLConn:310 sconn 0x7f83e61000 (0:root)

[260:root:95b7]SSL state:TLSv1.3 early data (45.140.17.63)

[260:root:95b7]no SNI received

[260:root:95b7]client cert requirement: no

[260:root:95b7]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[260:root:95b7]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[260:root:95b7]SSL state:TLSv1.3 write encrypted extensions (45.140.17.63)

[260:root:95b7]SSL state:SSLv3/TLS write certificate (45.140.17.63)

[260:root:95b7]SSL state:TLSv1.3 write server certificate verify (45.140.17.63)

[260:root:95b7]SSL state:SSLv3/TLS write finished (45.140.17.63)

[260:root:95b7]SSL state:TLSv1.3 early data (45.140.17.63)

[260:root:95b7]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[261:root:95b9]SSL state:before SSL initialization (45.140.17.63)

[261:root:95b9]no SNI received

[261:root:95b9]client cert requirement: no

[261:root:95b9]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[261:root:95b9]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[261:root:95b9]SSL state:SSLv3/TLS write change cipher spec (45.140.17.63)

[261:root:95b9]SSL state:TLSv1.3 early data (45.140.17.63)

[261:root:95b9]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[260:root:95b7]SSL state:TLSv1.3 early data (45.140.17.63)

[260:root:95b7]SSL state:SSLv3/TLS read finished (45.140.17.63)

[260:root:95b7]SSL state:SSLv3/TLS write session ticket (45.140.17.63)

[260:root:95b7]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384

[260:root:95b7]req: /remote/login?lang=en

[260:root:95b7]rmt_web_auth_info_parser_common:505 no session id in auth info

[260:root:95b7]rmt_web_get_access_cache:854 invalid cache, ret=4103

[260:root:95b7]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/

537.36 Edg/115.0.1901.203

[260:root:95b7]get_cust_page:123 saml_info 0

[260:root:95b7]sslConnGotoNextState:313 error (last state: 1, closeOp: 0)

[260:root:95b7]Destroy sconn 0x7f83e54000, connSize=0. (root)

[260:root:95b7]SSL state:warning close notify (45.140.17.63)

[261:root:95b9]SSL state:TLSv1.3 early data (45.140.17.63)

[261:root:95b9]no SNI received

[261:root:95b9]client cert requirement: no

[261:root:95b9]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[261:root:95b9]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[261:root:95b9]SSL state:TLSv1.3 write encrypted extensions (45.140.17.63)

[261:root:95b9]SSL state:SSLv3/TLS write certificate (45.140.17.63)

[261:root:95b9]SSL state:TLSv1.3 write server certificate verify (45.140.17.63)

[261:root:95b9]SSL state:SSLv3/TLS write finished (45.140.17.63)

[261:root:95b9]SSL state:TLSv1.3 early data (45.140.17.63)

[261:root:95b9]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[261:root:95b9]SSL state:TLSv1.3 early data (45.140.17.63)

[261:root:95b9]SSL state:SSLv3/TLS read finished (45.140.17.63)

[261:root:95b9]SSL state:SSLv3/TLS write session ticket (45.140.17.63)

[261:root:95b9]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384

[261:root:95b9]req: /remote/login

[261:root:95b9]rmt_web_auth_info_parser_common:505 no session id in auth info

[261:root:95b9]rmt_web_get_access_cache:854 invalid cache, ret=4103

[261:root:95b9]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/

537.36 Edg/115.0.1901.203

[261:root:95b9]sslConnGotoNextState:313 error (last state: 1, closeOp: 0)

[261:root:95b9]Destroy sconn 0x7f83e61000, connSize=0. (root)

[261:root:95b9]SSL state:warning close notify (45.140.17.63)

[255:root:95b4]allocSSLConn:310 sconn 0x7f83e46800 (0:root)

[255:root:95b4]SSL state:before SSL initialization (45.140.17.63)

[255:root:95b4]no SNI received

[255:root:95b4]client cert requirement: no

[255:root:95b4]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[255:root:95b4]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[255:root:95b4]SSL state:SSLv3/TLS write change cipher spec (45.140.17.63)

[255:root:95b4]SSL state:TLSv1.3 early data (45.140.17.63)

[255:root:95b4]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[256:root:95b0]allocSSLConn:310 sconn 0x7f83e65800 (0:root)

[255:root:95b4]SSL state:TLSv1.3 early data (45.140.17.63)

[255:root:95b4]no SNI received

[255:root:95b4]client cert requirement: no

[255:root:95b4]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[255:root:95b4]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[255:root:95b4]SSL state:TLSv1.3 write encrypted extensions (45.140.17.63)

[255:root:95b4]SSL state:SSLv3/TLS write certificate (45.140.17.63)

[255:root:95b4]SSL state:TLSv1.3 write server certificate verify (45.140.17.63)

[255:root:95b4]SSL state:SSLv3/TLS write finished (45.140.17.63)

[255:root:95b4]SSL state:TLSv1.3 early data (45.140.17.63)

[255:root:95b4]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[256:root:95b0]SSL state:before SSL initialization (45.140.17.63)

[256:root:95b0]no SNI received

[256:root:95b0]client cert requirement: no

[256:root:95b0]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[256:root:95b0]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[256:root:95b0]SSL state:SSLv3/TLS write change cipher spec (45.140.17.63)

[256:root:95b0]SSL state:TLSv1.3 early data (45.140.17.63)

[256:root:95b0]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[255:root:95b4]SSL state:TLSv1.3 early data (45.140.17.63)

[255:root:95b4]SSL state:SSLv3/TLS read finished (45.140.17.63)

[255:root:95b4]SSL state:SSLv3/TLS write session ticket (45.140.17.63)

[255:root:95b4]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384

[255:root:95b4]req: /remote/logincheck

[255:root:95b4]Transfer-Encoding n/a

[255:root:95b4]Content-Length 53

[255:root:95b4]readPostEnter:17 Post Data length 53.

[255:root:95b4]rmt_web_auth_info_parser_common:505 no session id in auth info

[255:root:95b4]rmt_web_access_check:773 access failed, uri=[/remote/logincheck],ret=4103,

[255:root:95b4]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/

537.36 Edg/115.0.1901.203

[255:root:95b4]sslvpn_auth_check_usrgroup:2997 forming user/group list from policy.

[255:root:95b4]sslvpn_auth_check_usrgroup:3043 got user (0) group (2:0).

[255:root:95b4]sslvpn_validate_user_group_list:1905 validating with SSL VPN authentication rules (1), realm ().

[255:root:95b4]sslvpn_validate_user_group_list:1991 checking rule 1 cipher.

[255:root:95b4]sslvpn_validate_user_group_list:1999 checking rule 1 realm.

[255:root:95b4]sslvpn_validate_user_group_list:2010 checking rule 1 source intf.

[255:root:95b4]sslvpn_validate_user_group_list:2049 checking rule 1 vd source intf.

[255:root:95b4]sslvpn_validate_user_group_list:2540 rule 1 done, got user (0:0) group (2:0) peer group (0).

[255:root:95b4]sslvpn_validate_user_group_list:2548 got user (0:0) group (2:0) peer group (0).

[255:root:95b4]sslvpn_validate_user_group_list:2895 got user (0:0), group (2:0) peer group (0).

[255:root:95b4]sslvpn_update_user_group_list:1804 got user (0:0), group (2:0), peer group (0) after update.

[255:root:95b4]two factor check for swhite: off

[255:root:95b4]sslvpn_authenticate_user:192 authenticate user: [swhite]

[255:root:95b4]sslvpn_authenticate_user:206 create fam state

[255:root:95b4][fam_auth_send_req_internal:425] Groups sent to FNBAM:

[255:root:95b4]group_desc[0].grpname = ABC-VPN-2FA

[255:root:95b4]group_desc[1].grpname = ABC-VPN_Users

[255:root:95b4][fam_auth_send_req_internal:437] FNBAM opt = 0X200401

[255:root:95b4]fam_auth_send_req_internal:513 fnbam_auth return: 4

[255:root:95b4]fam_auth_send_req:1006 task finished with 4

[255:root:95b4]fam_auth_proc_resp:1358 fnbam_auth_update_result return: 1 (invalue username/password)

[255:root:95b4][fam_auth_proc_resp:1457] Authenticated groups (2) by FNBAM with auth_type (1):

[255:root:95b4]Received: auth_rsp_data.grp_list[0] = 4242536656

[255:root:95b4]Received: auth_rsp_data.grp_list[1] = 127

[255:root:95b4]login_failed:404 user[swhite],auth_type=1 failed [sslvpn_login_permission_denied]

[255:root:95b4]sslConnGotoNextState:313 error (last state: 1, closeOp: 0)

[255:root:95b4]Destroy sconn 0x7f83e46800, connSize=0. (root)

[255:root:95b4]SSL state:warning close notify (45.140.17.63)

[256:root:95b0]SSL state:TLSv1.3 early data (45.140.17.63)

[256:root:95b0]no SNI received

[256:root:95b0]client cert requirement: no

[256:root:95b0]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[256:root:95b0]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[256:root:95b0]SSL state:TLSv1.3 write encrypted extensions (45.140.17.63)

[256:root:95b0]SSL state:SSLv3/TLS write certificate (45.140.17.63)

[256:root:95b0]SSL state:TLSv1.3 write server certificate verify (45.140.17.63)

[256:root:95b0]SSL state:SSLv3/TLS write finished (45.140.17.63)

[256:root:95b0]SSL state:TLSv1.3 early data (45.140.17.63)

[256:root:95b0]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[256:root:95b0]SSL state:TLSv1.3 early data (45.140.17.63)

[256:root:95b0]SSL state:SSLv3/TLS read finished (45.140.17.63)

[256:root:95b0]SSL state:SSLv3/TLS write session ticket (45.140.17.63)

[256:root:95b0]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384

[256:root:95b0]req: /remote/login?lang=en

[256:root:95b0]rmt_web_auth_info_parser_common:505 no session id in auth info

[256:root:95b0]rmt_web_get_access_cache:854 invalid cache, ret=4103

[256:root:95b0]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/

537.36 Edg/115.0.1901.203

[256:root:95b0]get_cust_page:123 saml_info 0

[256:root:95b0]sslConnGotoNextState:313 error (last state: 1, closeOp: 0)

[256:root:95b0]Destroy sconn 0x7f83e65800, connSize=0. (root)

[256:root:95b0]SSL state:warning close notify (45.140.17.63)

[257:root:95b0]allocSSLConn:310 sconn 0x7f83e5f000 (0:root)

[257:root:95b0]SSL state:before SSL initialization (45.140.17.63)

[257:root:95b0]no SNI received

[257:root:95b0]client cert requirement: no

[257:root:95b0]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[257:root:95b0]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[257:root:95b0]SSL state:SSLv3/TLS write change cipher spec (45.140.17.63)

[257:root:95b0]SSL state:TLSv1.3 early data (45.140.17.63)

[257:root:95b0]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[257:root:95b0]SSL state:TLSv1.3 early data (45.140.17.63)

[257:root:95b0]no SNI received

[257:root:95b0]client cert requirement: no

[257:root:95b0]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[257:root:95b0]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[257:root:95b0]SSL state:TLSv1.3 write encrypted extensions (45.140.17.63)

[257:root:95b0]SSL state:SSLv3/TLS write certificate (45.140.17.63)

[257:root:95b0]SSL state:TLSv1.3 write server certificate verify (45.140.17.63)

[257:root:95b0]SSL state:SSLv3/TLS write finished (45.140.17.63)

[257:root:95b0]SSL state:TLSv1.3 early data (45.140.17.63)

[257:root:95b0]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[257:root:95b0]SSL state:TLSv1.3 early data (45.140.17.63)

[257:root:95b0]SSL state:SSLv3/TLS read finished (45.140.17.63)

[257:root:95b0]SSL state:SSLv3/TLS write session ticket (45.140.17.63)

[257:root:95b0]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384

[257:root:95b0]req: /remote/logincheck

[257:root:95b0]Transfer-Encoding n/a

[257:root:95b0]Content-Length 55

[257:root:95b0]readPostEnter:17 Post Data length 55.

[257:root:95b0]rmt_web_auth_info_parser_common:505 no session id in auth info

[257:root:95b0]rmt_web_access_check:773 access failed, uri=[/remote/logincheck],ret=4103,

[257:root:95b0]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/

537.36 Edg/115.0.1901.203

[257:root:95b0]sslvpn_auth_check_usrgroup:2997 forming user/group list from policy.

[257:root:95b0]sslvpn_auth_check_usrgroup:3043 got user (0) group (2:0).

[257:root:95b0]sslvpn_validate_user_group_list:1905 validating with SSL VPN authentication rules (1), realm ().

[257:root:95b0]sslvpn_validate_user_group_list:1991 checking rule 1 cipher.

[257:root:95b0]sslvpn_validate_user_group_list:1999 checking rule 1 realm.

[257:root:95b0]sslvpn_validate_user_group_list:2010 checking rule 1 source intf.

[257:root:95b0]sslvpn_validate_user_group_list:2049 checking rule 1 vd source intf.

[257:root:95b0]sslvpn_validate_user_group_list:2540 rule 1 done, got user (0:0) group (2:0) peer group (0).

[257:root:95b0]sslvpn_validate_user_group_list:2548 got user (0:0) group (2:0) peer group (0).

[257:root:95b0]sslvpn_validate_user_group_list:2895 got user (0:0), group (2:0) peer group (0).

[257:root:95b0]sslvpn_update_user_group_list:1804 got user (0:0), group (2:0), peer group (0) after update.

[257:root:95b0]two factor check for swhite: off

[257:root:95b0]sslvpn_authenticate_user:192 authenticate user: [swhite]

[257:root:95b0]sslvpn_authenticate_user:206 create fam state

[257:root:95b0][fam_auth_send_req_internal:425] Groups sent to FNBAM:

[257:root:95b0]group_desc[0].grpname = ABC-VPN-2FA

[257:root:95b0]group_desc[1].grpname = ABC-VPN_Users

[257:root:95b0][fam_auth_send_req_internal:437] FNBAM opt = 0X200401

[257:root:95b0]fam_auth_send_req_internal:513 fnbam_auth return: 4

[257:root:95b0]fam_auth_send_req:1006 task finished with 4

[257:root:95b0]fam_auth_proc_resp:1358 fnbam_auth_update_result return: 1 (invalue username/password)

[257:root:95b0][fam_auth_proc_resp:1457] Authenticated groups (2) by FNBAM with auth_type (1):

[257:root:95b0]Received: auth_rsp_data.grp_list[0] = 4242536656

[257:root:95b0]Received: auth_rsp_data.grp_list[1] = 127

[257:root:95b0]login_failed:404 user[swhite],auth_type=1 failed [sslvpn_login_permission_denied]

[257:root:95b0]sslConnGotoNextState:313 error (last state: 1, closeOp: 0)

[257:root:95b0]Destroy sconn 0x7f83e5f000, connSize=0. (root)

[257:root:95b0]SSL state:warning close notify (45.140.17.63)

[258:root:95b2]allocSSLConn:310 sconn 0x7f83e61000 (0:root)

[258:root:95b2]SSL state:before SSL initialization (45.140.17.63)

[258:root:95b2]no SNI received

[258:root:95b2]client cert requirement: no

[258:root:95b2]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[258:root:95b2]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[258:root:95b2]SSL state:SSLv3/TLS write change cipher spec (45.140.17.63)

[258:root:95b2]SSL state:TLSv1.3 early data (45.140.17.63)

[258:root:95b2]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[258:root:95b2]SSL state:TLSv1.3 early data (45.140.17.63)

[258:root:95b2]no SNI received

[258:root:95b2]client cert requirement: no

[258:root:95b2]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[258:root:95b2]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[258:root:95b2]SSL state:TLSv1.3 write encrypted extensions (45.140.17.63)

[258:root:95b2]SSL state:SSLv3/TLS write certificate (45.140.17.63)

[258:root:95b2]SSL state:TLSv1.3 write server certificate verify (45.140.17.63)

[258:root:95b2]SSL state:SSLv3/TLS write finished (45.140.17.63)

[258:root:95b2]SSL state:TLSv1.3 early data (45.140.17.63)

[258:root:95b2]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[258:root:95b2]SSL state:TLSv1.3 early data (45.140.17.63)

[258:root:95b2]SSL state:SSLv3/TLS read finished (45.140.17.63)

[258:root:95b2]SSL state:SSLv3/TLS write session ticket (45.140.17.63)

[258:root:95b2]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384

[258:root:95b2]req: /remote/login

[258:root:95b2]rmt_web_auth_info_parser_common:505 no session id in auth info

[258:root:95b2]rmt_web_get_access_cache:854 invalid cache, ret=4103

[258:root:95b2]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/

537.36 Edg/115.0.1901.203

[258:root:95b2]sslConnGotoNextState:313 error (last state: 1, closeOp: 0)

[258:root:95b2]Destroy sconn 0x7f83e61000, connSize=0. (root)

[258:root:95b2]SSL state:warning close notify (45.140.17.63)

[259:root:95b9]allocSSLConn:310 sconn 0x7f83e61000 (0:root)

[260:root:95b8]allocSSLConn:310 sconn 0x7f83e54000 (0:root)

[259:root:95b9]SSL state:before SSL initialization (45.140.17.63)

[259:root:95b9]no SNI received

[259:root:95b9]client cert requirement: no

[259:root:95b9]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[259:root:95b9]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[259:root:95b9]SSL state:SSLv3/TLS write change cipher spec (45.140.17.63)

[259:root:95b9]SSL state:TLSv1.3 early data (45.140.17.63)

[259:root:95b9]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[260:root:95b8]SSL state:before SSL initialization (45.140.17.63)

[260:root:95b8]no SNI received

[260:root:95b8]client cert requirement: no

[260:root:95b8]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[260:root:95b8]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[260:root:95b8]SSL state:SSLv3/TLS write change cipher spec (45.140.17.63)

[260:root:95b8]SSL state:TLSv1.3 early data (45.140.17.63)

[260:root:95b8]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[259:root:95b9]SSL state:TLSv1.3 early data (45.140.17.63)

[259:root:95b9]no SNI received

[259:root:95b9]client cert requirement: no

[259:root:95b9]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[259:root:95b9]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[259:root:95b9]SSL state:TLSv1.3 write encrypted extensions (45.140.17.63)

[259:root:95b9]SSL state:SSLv3/TLS write certificate (45.140.17.63)

[259:root:95b9]SSL state:TLSv1.3 write server certificate verify (45.140.17.63)

[259:root:95b9]SSL state:SSLv3/TLS write finished (45.140.17.63)

[259:root:95b9]SSL state:TLSv1.3 early data (45.140.17.63)

[259:root:95b9]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[260:root:95b8]SSL state:TLSv1.3 early data (45.140.17.63)

[260:root:95b8]no SNI received

[260:root:95b8]client cert requirement: no

[260:root:95b8]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[260:root:95b8]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[260:root:95b8]SSL state:TLSv1.3 write encrypted extensions (45.140.17.63)

[260:root:95b8]SSL state:SSLv3/TLS write certificate (45.140.17.63)

[260:root:95b8]SSL state:TLSv1.3 write server certificate verify (45.140.17.63)

[260:root:95b8]SSL state:SSLv3/TLS write finished (45.140.17.63)

[260:root:95b8]SSL state:TLSv1.3 early data (45.140.17.63)

[260:root:95b8]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[259:root:95b9]SSL state:TLSv1.3 early data (45.140.17.63)

[259:root:95b9]SSL state:SSLv3/TLS read finished (45.140.17.63)

[259:root:95b9]SSL state:SSLv3/TLS write session ticket (45.140.17.63)

[259:root:95b9]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384

[259:root:95b9]req: /remote/login?lang=en

[259:root:95b9]rmt_web_auth_info_parser_common:505 no session id in auth info

[259:root:95b9]rmt_web_get_access_cache:854 invalid cache, ret=4103

[259:root:95b9]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/

537.36 Edg/115.0.1901.203

[259:root:95b9]fsv_blocklist_check:65 locked: rowid=1,host=45.140.17.63

[260:root:95b8]SSL state:TLSv1.3 early data (45.140.17.63)

[260:root:95b8]SSL state:SSLv3/TLS read finished (45.140.17.63)

[260:root:95b8]SSL state:SSLv3/TLS write session ticket (45.140.17.63)

[260:root:95b8]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384

[260:root:95b8]req: /remote/login

[260:root:95b8]rmt_web_auth_info_parser_common:505 no session id in auth info

[260:root:95b8]rmt_web_get_access_cache:854 invalid cache, ret=4103

[260:root:95b8]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/

537.36 Edg/115.0.1901.203

[260:root:95b8]sslConnGotoNextState:313 error (last state: 1, closeOp: 0)

[260:root:95b8]Destroy sconn 0x7f83e54000, connSize=0. (root)

[260:root:95b8]SSL state:warning close notify (45.140.17.63)

[259:root:95b9]SSL state:warning close notify (45.140.17.63)

[259:root:95b9]sslConnGotoNextState:313 error (last state: 1, closeOp: 0)

[259:root:95b9]Destroy sconn 0x7f83e61000, connSize=0. (root)

[259:root:95b9]SSL state:warning close notify (45.140.17.63)

[261:root:95ba]allocSSLConn:310 sconn 0x7f83e61000 (0:root)

[255:root:95b5]allocSSLConn:310 sconn 0x7f83e46800 (0:root)

[261:root:95ba]SSL state:before SSL initialization (45.140.17.63)

[261:root:95ba]no SNI received

[261:root:95ba]client cert requirement: no

[261:root:95ba]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[261:root:95ba]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[261:root:95ba]SSL state:SSLv3/TLS write change cipher spec (45.140.17.63)

[261:root:95ba]SSL state:TLSv1.3 early data (45.140.17.63)

[261:root:95ba]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[255:root:95b5]SSL state:before SSL initialization (45.140.17.63)

[255:root:95b5]no SNI received

[255:root:95b5]client cert requirement: no

[255:root:95b5]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[255:root:95b5]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[255:root:95b5]SSL state:SSLv3/TLS write change cipher spec (45.140.17.63)

[255:root:95b5]SSL state:TLSv1.3 early data (45.140.17.63)

[255:root:95b5]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[261:root:95ba]SSL state:TLSv1.3 early data (45.140.17.63)

[261:root:95ba]no SNI received

[261:root:95ba]client cert requirement: no

[261:root:95ba]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[261:root:95ba]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[261:root:95ba]SSL state:TLSv1.3 write encrypted extensions (45.140.17.63)

[261:root:95ba]SSL state:SSLv3/TLS write certificate (45.140.17.63)

[261:root:95ba]SSL state:TLSv1.3 write server certificate verify (45.140.17.63)

[261:root:95ba]SSL state:SSLv3/TLS write finished (45.140.17.63)

[261:root:95ba]SSL state:TLSv1.3 early data (45.140.17.63)

[261:root:95ba]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[255:root:95b5]SSL state:TLSv1.3 early data (45.140.17.63)

[255:root:95b5]no SNI received

[255:root:95b5]client cert requirement: no

[255:root:95b5]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[255:root:95b5]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[255:root:95b5]SSL state:TLSv1.3 write encrypted extensions (45.140.17.63)

[255:root:95b5]SSL state:SSLv3/TLS write certificate (45.140.17.63)

[255:root:95b5]SSL state:TLSv1.3 write server certificate verify (45.140.17.63)

[255:root:95b5]SSL state:SSLv3/TLS write finished (45.140.17.63)

[255:root:95b5]SSL state:TLSv1.3 early data (45.140.17.63)

[255:root:95b5]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[261:root:95ba]SSL state:TLSv1.3 early data (45.140.17.63)

[261:root:95ba]SSL state:SSLv3/TLS read finished (45.140.17.63)

[261:root:95ba]SSL state:SSLv3/TLS write session ticket (45.140.17.63)

[261:root:95ba]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384

[261:root:95ba]req: /login

[261:root:95ba]Transfer-Encoding n/a

[261:root:95ba]Content-Length n/a

[261:root:95ba]def: (nil) /login

[255:root:95b5]SSL state:TLSv1.3 early data (45.140.17.63)

[255:root:95b5]SSL state:SSLv3/TLS read finished (45.140.17.63)

[255:root:95b5]SSL state:SSLv3/TLS write session ticket (45.140.17.63)

[255:root:95b5]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384

[255:root:95b5]req: /remote/login?lang=en

[255:root:95b5]rmt_web_auth_info_parser_common:505 no session id in auth info

[255:root:95b5]rmt_web_get_access_cache:854 invalid cache, ret=4103

[255:root:95b5]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/

537.36 Edg/115.0.1901.203

[255:root:95b5]fsv_blocklist_check:65 locked: rowid=1,host=45.140.17.63

[261:root:95ba]SSL state:warning close notify (45.140.17.63)

[261:root:95ba]sslConnGotoNextState:313 error (last state: 1, closeOp: 0)

[261:root:95ba]Destroy sconn 0x7f83e61000, connSize=0. (root)

[261:root:95ba]SSL state:warning close notify (45.140.17.63)

[255:root:95b5]SSL state:warning close notify (45.140.17.63)

[255:root:95b5]sslConnGotoNextState:313 error (last state: 1, closeOp: 0)

[255:root:95b5]Destroy sconn 0x7f83e46800, connSize=0. (root)

[255:root:95b5]SSL state:warning close notify (45.140.17.63)

[256:root:95b1]allocSSLConn:310 sconn 0x7f83e65800 (0:root)

diagnose debug disable[256:root:95b1]SSL state:before SSL initialization (45.140.17.63)

[256:root:95b1]SSL state:before SSL initialization (45.140.17.63)

[256:root:95b1]no SNI received

[256:root:95b1]client cert requirement: no

[256:root:95b1]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[256:root:95b1]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[256:root:95b1]SSL state:SSLv3/TLS write change cipher spec (45.140.17.63)

[256:root:95b1]SSL state:TLSv1.3 early data (45.140.17.63)

[256:root:95b1]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[256:root:95b1]SSL state:TLSv1.3 early data (45.140.17.63)

[256:root:95b1]no SNI received

[256:root:95b1]client cert requirement: no

[256:root:95b1]SSL state:SSLv3/TLS read client hello (45.140.17.63)

[256:root:95b1]SSL state:SSLv3/TLS write server hello (45.140.17.63)

[256:root:95b1]SSL state:TLSv1.3 write encrypted extensions (45.140.17.63)

[256:root:95b1]SSL state:SSLv3/TLS write certificate (45.140.17.63)

[256:root:95b1]SSL state:TLSv1.3 write server certificate verify (45.140.17.63)

[256:root:95b1]SSL state:SSLv3/TLS write finished (45.140.17.63)

[256:root:95b1]SSL state:TLSv1.3 early data (45.140.17.63)

[256:root:95b1]SSL state:TLSv1.3 early data:(null)(45.140.17.63)

[256:root:95b1]SSL state:TLSv1.3 early data (45.140.17.63)

[256:root:95b1]SSL state:SSLv3/TLS read finished (45.140.17.63)

[256:root:95b1]SSL state:SSLv3/TLS write session ticket (45.140.17.63)

[256:root:95b1]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384

[256:root:95b1]req: /login

[256:root:95b1]Transfer-Encoding n/a

[256:root:95b1]Content-Length n/a

[256:root:95b1]def: (nil) /login

[256:root:95b1]SSL state:warning close notify (45.140.17.63)

[256:root:95b1]sslConnGotoNextState:313 error (last state: 1, closeOp: 0)

[256:root:95b1]Destroy sconn 0x7f83e65800, connSize=0. (root)

[256:root:95b1]SSL state:warning close notify (45.140.17.63)

diagnose debug disable

command parse error before 'disablediagnose'

Command fail. Return code -61

ABC-FW01 # diagnose debug disable

ABC-FW01 # diagnose debug reset

ABC-FW01 # diagnose debug application fnbamd -1

Debug messages will be on for 30 minutes.

ABC-FW01 # diagnose debug enable

ABC-FW01 # [342] fnbamd_create_radius_socket-Opened radius socket 12

[1890] handle_req-Rcvd auth req 1536790667 for sdev in opt=00200401 prot=11

[473] __compose_group_list_from_req-Group 'ABC-VPN-2FA', type 1

[473] __compose_group_list_from_req-Group 'ABC-VPN_Users', type 1

[616] fnbamd_pop3_start-sdev

[571] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'DUO_2FA' for usergroup 'ABC-VPN-2FA' (3)

[342] fnbamd_create_radius_socket-Opened radius socket 11

[342] fnbamd_create_radius_socket-Opened radius socket 12

[1454] fnbamd_radius_auth_send-Compose RADIUS request

[1411] fnbamd_rad_dns_cb-[IP of the DC and RADIUS Server]->[IP of the DC and RADIUS Server]

[1383] __fnbamd_rad_send-Sent radius req to server 'DUO_2FA': fd=11, IP=[IP of the DC and RADIUS Server]([IP of the DC and RADIUS Server]:1812) code=1 id=21 len=111 user="s

dev" using PAP

[319] radius_server_auth-Timer of rad 'DUO_2FA' is added

[760] auth_tac_plus_start-Didn't find tac_plus servers (0)

[1007] __fnbamd_cfg_get_ldap_list_by_group-

[1065] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'ABC_Users' for usergroup 'ABC-VPN_Users' (2)

[1115] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 1

[1718] fnbamd_ldap_init-search filter is: samaccountname=sdev

[1728] fnbamd_ldap_init-search base is: DC=ABC,DC=local

[1150] __fnbamd_ldap_dns_cb-Resolved ABC_Users:[IP of the DC and RADIUS Server] to [IP of the DC and RADIUS Server], cur stack size:1

[925] __fnbamd_ldap_get_next_addr-

[1155] __fnbamd_ldap_dns_cb-Connection starts ABC_Users:[IP of the DC and RADIUS Server], addr [IP of the DC and RADIUS Server]

[880] __fnbamd_ldap_start_conn-Still connecting [IP of the DC and RADIUS Server].

[636] create_auth_session-Total 2 server(s) to try

[1931] handle_req-r=4

[1108] __ldap_connect-tcps_connect([IP of the DC and RADIUS Server]) is established.

[986] __ldap_rxtx-state 3(Admin Binding)

[363] __ldap_build_bind_req-Binding to 'ABC\svc_LDAP'

[1083] fnbamd_ldap_send-sending 40 bytes to [IP of the DC and RADIUS Server]

[1096] fnbamd_ldap_send-Request is sent. ID 1

[986] __ldap_rxtx-state 4(Admin Bind resp)

[1127] __fnbamd_ldap_read-Read 8

[1233] fnbamd_ldap_recv-Leftover 2

[1127] __fnbamd_ldap_read-Read 14

[1306] fnbamd_ldap_recv-Response len: 16, svr: [IP of the DC and RADIUS Server]

[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind

[1023] fnbamd_ldap_parse_response-ret=0

[1053] __ldap_rxtx-Change state to 'DN search'

[986] __ldap_rxtx-state 11(DN search)

[750] fnbamd_ldap_build_dn_search_req-base:'DC=ABC,DC=local' filter:samaccountname=sdev

[1083] fnbamd_ldap_send-sending 70 bytes to [IP of the DC and RADIUS Server]

[1096] fnbamd_ldap_send-Request is sent. ID 2

[986] __ldap_rxtx-state 12(DN search resp)

[1127] __fnbamd_ldap_read-Read 8

[1233] fnbamd_ldap_recv-Leftover 2

[1127] __fnbamd_ldap_read-Read 74

[1306] fnbamd_ldap_recv-Response len: 76, svr: [IP of the DC and RADIUS Server]

[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference

[1023] fnbamd_ldap_parse_response-ret=0

[1127] __fnbamd_ldap_read-Read 8

[1233] fnbamd_ldap_recv-Leftover 2

[1127] __fnbamd_ldap_read-Read 74

[1306] fnbamd_ldap_recv-Response len: 76, svr: [IP of the DC and RADIUS Server]

[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference

[1023] fnbamd_ldap_parse_response-ret=0

[1127] __fnbamd_ldap_read-Read 8

[1233] fnbamd_ldap_recv-Leftover 2

[1127] __fnbamd_ldap_read-Read 58

[1306] fnbamd_ldap_recv-Response len: 60, svr: [IP of the DC and RADIUS Server]

[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference

[1023] fnbamd_ldap_parse_response-ret=0

[1127] __fnbamd_ldap_read-Read 8

[1233] fnbamd_ldap_recv-Leftover 2

[1127] __fnbamd_ldap_read-Read 14

[1306] fnbamd_ldap_recv-Response len: 16, svr: [IP of the DC and RADIUS Server]

[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result

[1023] fnbamd_ldap_parse_response-ret=0

[1244] __fnbamd_ldap_dn_next-No DN is found.

[1053] __ldap_rxtx-Change state to 'Done'

[986] __ldap_rxtx-state 23(Done)

[1083] fnbamd_ldap_send-sending 7 bytes to [IP of the DC and RADIUS Server]

[1096] fnbamd_ldap_send-Request is sent. ID 3

[785] __ldap_done-svr 'ABC_Users'

[755] __ldap_destroy-

[724] __ldap_stop-Conn with [IP of the DC and RADIUS Server] destroyed.

[2774] fnbamd_ldap_result-Continue pending for req 1536790667

[1428] fnbamd_auth_handle_radius_result-Timer of rad 'DUO_2FA' is deleted

[1863] fnbamd_radius_auth_validate_pkt-RADIUS resp code 3

[1454] fnbamd_auth_handle_radius_result-->Result for radius svr 'DUO_2FA' [IP of the DC and RADIUS Server](1) is 1

[209] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 1536790667, len=2544

[792] destroy_auth_session-delete session 1536790667

[755] __ldap_destroy-

[1764] fnbamd_ldap_auth_ctx_free-Freeing 'ABC_Users' ctx

[1890] handle_req-Rcvd auth req 1536790668 for tmartin in opt=00200401 prot=11

[473] __compose_group_list_from_req-Group 'ABC-VPN-2FA', type 1

[473] __compose_group_list_from_req-Group 'ABC-VPN_Users', type 1

[616] fnbamd_pop3_start-tmartin

[571] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'DUO_2FA' for usergroup 'ABC-VPN-2FA' (3)

[342] fnbamd_create_radius_socket-Opened radius socket 11

[342] fnbamd_create_radius_socket-Opened radius socket 12

[1454] fnbamd_radius_auth_send-Compose RADIUS request

[1411] fnbamd_rad_dns_cb-[IP of the DC and RADIUS Server]->[IP of the DC and RADIUS Server]

[1383] __fnbamd_rad_send-Sent radius req to server 'DUO_2FA': fd=11, IP=[IP of the DC and RADIUS Server]([IP of the DC and RADIUS Server]:1812) code=1 id=22 len=113 user="t

martin" using PAP

[319] radius_server_auth-Timer of rad 'DUO_2FA' is added

[760] auth_tac_plus_start-Didn't find tac_plus servers (0)

[1007] __fnbamd_cfg_get_ldap_list_by_group-

[1065] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'ABC_Users' for usergroup 'ABC-VPN_Users' (2)

[1115] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 1

[1718] fnbamd_ldap_init-search filter is: samaccountname=tmartin

[1728] fnbamd_ldap_init-search base is: DC=ABC,DC=local

[1150] __fnbamd_ldap_dns_cb-Resolved ABC_Users:[IP of the DC and RADIUS Server] to [IP of the DC and RADIUS Server], cur stack size:1

[925] __fnbamd_ldap_get_next_addr-

[1155] __fnbamd_ldap_dns_cb-Connection starts ABC_Users:[IP of the DC and RADIUS Server], addr [IP of the DC and RADIUS Server]

[880] __fnbamd_ldap_start_conn-Still connecting [IP of the DC and RADIUS Server].

[636] create_auth_session-Total 2 server(s) to try

[1931] handle_req-r=4

[1108] __ldap_connect-tcps_connect([IP of the DC and RADIUS Server]) is established.

[986] __ldap_rxtx-state 3(Admin Binding)

[363] __ldap_build_bind_req-Binding to 'ABC\svc_LDAP'

[1083] fnbamd_ldap_send-sending 40 bytes to [IP of the DC and RADIUS Server]

[1096] fnbamd_ldap_send-Request is sent. ID 1

[986] __ldap_rxtx-state 4(Admin Bind resp)

[1127] __fnbamd_ldap_read-Read 8

[1233] fnbamd_ldap_recv-Leftover 2

[1127] __fnbamd_ldap_read-Read 14

[1306] fnbamd_ldap_recv-Response len: 16, svr: [IP of the DC and RADIUS Server]

[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind

[1023] fnbamd_ldap_parse_response-ret=0

[1053] __ldap_rxtx-Change state to 'DN search'

[986] __ldap_rxtx-state 11(DN search)

[750] fnbamd_ldap_build_dn_search_req-base:'DC=ABC,DC=local' filter:samaccountname=tmartin

[1083] fnbamd_ldap_send-sending 73 bytes to [IP of the DC and RADIUS Server]

[1096] fnbamd_ldap_send-Request is sent. ID 2

[986] __ldap_rxtx-state 12(DN search resp)

[1127] __fnbamd_ldap_read-Read 8

[1233] fnbamd_ldap_recv-Leftover 2

[1127] __fnbamd_ldap_read-Read 74

[1306] fnbamd_ldap_recv-Response len: 76, svr: [IP of the DC and RADIUS Server]

[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference

[1023] fnbamd_ldap_parse_response-ret=0

[1127] __fnbamd_ldap_read-Read 8

[1233] fnbamd_ldap_recv-Leftover 2

[1127] __fnbamd_ldap_read-Read 74

[1306] fnbamd_ldap_recv-Response len: 76, svr: [IP of the DC and RADIUS Server]

[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference

[1023] fnbamd_ldap_parse_response-ret=0

[1127] __fnbamd_ldap_read-Read 8

[1233] fnbamd_ldap_recv-Leftover 2

[1127] __fnbamd_ldap_read-Read 58

[1306] fnbamd_ldap_recv-Response len: 60, svr: [IP of the DC and RADIUS Server]

[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference

[1023] fnbamd_ldap_parse_response-ret=0

[1127] __fnbamd_ldap_read-Read 8

[1233] fnbamd_ldap_recv-Leftover 2

[1127] __fnbamd_ldap_read-Read 14

[1306] fnbamd_ldap_recv-Response len: 16, svr: [IP of the DC and RADIUS Server]

[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result

[1023] fnbamd_ldap_parse_response-ret=0

[1244] __fnbamd_ldap_dn_next-No DN is found.

[1053] __ldap_rxtx-Change state to 'Done'

[986] __ldap_rxtx-state 23(Done)

[1083] fnbamd_ldap_send-sending 7 bytes to [IP of the DC and RADIUS Server]

[1096] fnbamd_ldap_send-Request is sent. ID 3

[785] __ldap_done-svr 'ABC_Users'

[755] __ldap_destroy-

[724] __ldap_stop-Conn with [IP of the DC and RADIUS Server] destroyed.

[2774] fnbamd_ldap_result-Continue pending for req 1536790668

[1428] fnbamd_auth_handle_radius_result-Timer of rad 'DUO_2FA' is deleted

[1863] fnbamd_radius_auth_validate_pkt-RADIUS resp code 3

[1454] fnbamd_auth_handle_radius_result-->Result for radius svr 'DUO_2FA' [IP of the DC and RADIUS Server](1) is 1

[209] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 1536790668, len=2544

[792] destroy_auth_session-delete session 1536790668

[755] __ldap_destroy-

[1764] fnbamd_ldap_auth_ctx_free-Freeing 'ABC_Users' ctx

ABC-FW01 # diagnose debug application samld -1

ABC-FW01 #

ITDavid · ‎03-07-2024

To clarify, I am getting a Push MFA request but by the time it is on my phone it is already connected with the VPN and no matter what I do the VPN is connected.

I did 2 sets of tests with the “Test Connectivity” and “Test User Credentials” tests. Test 1 is where I ran the “Test Connectivity” and “Test User Credentials” and for the User credentials part I accepted the Push, It does seem to wait for my approval.

Test 2 was where I just did the User credentials test and ignored the push. It takes about 60 seconds, and then it says it cannot connect to the RADIUS server and then errors out.

Test 1