SSL-VPN with SAML won't re-connect

pcbron · ‎02-06-2024

We are using SSL-VPN with SAML with Azure AD as the IdP. After rebooting the computer, the initial connection usually works as expected, though sometimes it fails with error -14. After disconnecting, when we click "Connect" again we are never prompted to log in again and the connection immediately fails with error -6005. A reboot is required to connect again.

We are able to log in reliably to the web portal. I also tried switching to an alternate authentication method (RADIUS) and it works reliably. It is only SSL-VPN with SAML that is having an issue.

Forticlient version is 7.2.3.0929 and client OS is Windows 11. Fortigate version is 7.0.13.

Here are logs from the FG200 during one of the failed connection attempts:

2024-02-06 10:25:08 [28170:root:23d]allocSSLConn:307 sconn 0x7feb0a756c00 (0:root)
2024-02-06 10:25:08 [28170:root:23d]SSL state:before SSL initialization (67.xx.xx.xx)
2024-02-06 10:25:08 [28170:root:23d]SSL state:before SSL initialization:DH lib(67.xx.xx.xx)
2024-02-06 10:25:08 [28170:root:23d]SSL_accept failed, 5:(null)
2024-02-06 10:25:08 [28170:root:23d]Destroy sconn 0x7feb0a756c00, connSize=0. (root)
2024-02-06 10:25:09 [612:root:36]allocSSLConn:307 sconn 0x7feb099d9800 (0:root)
2024-02-06 10:25:09 [612:root:36]SSL state:before SSL initialization (67.xx.xx.xx)
2024-02-06 10:25:09 [612:root:36]SSL state:before SSL initialization (67.xx.xx.xx)
2024-02-06 10:25:09 [612:root:36]got SNI server name: vpn.mydomain.com realm (null)
2024-02-06 10:25:09 [612:root:36]client cert requirement: yes
2024-02-06 10:25:09 [612:root:36]SSL state:SSLv3/TLS read client hello (67.xx.xx.xx)
2024-02-06 10:25:09 [612:root:36]SSL state:SSLv3/TLS write server hello (67.xx.xx.xx)
2024-02-06 10:25:09 [612:root:36]SSL state:SSLv3/TLS write certificate (67.xx.xx.xx)
2024-02-06 10:25:09 [612:root:36]SSL state:SSLv3/TLS write key exchange (67.xx.xx.xx)
2024-02-06 10:25:09 [612:root:36]SSL state:SSLv3/TLS write certificate request (67.xx.xx.xx)
2024-02-06 10:25:09 [612:root:36]SSL state:SSLv3/TLS write server done (67.xx.xx.xx)
2024-02-06 10:25:09 [612:root:36]SSL state:SSLv3/TLS write server done:system lib(67.xx.xx.xx)
2024-02-06 10:25:09 [612:root:36]SSL state:SSLv3/TLS write server done (67.xx.xx.xx)
2024-02-06 10:25:09 [612:root:36]SSL state:SSLv3/TLS read client certificate (67.xx.xx.xx)
2024-02-06 10:25:09 [612:root:36]SSL state:SSLv3/TLS read client key exchange (67.xx.xx.xx)
2024-02-06 10:25:09 [612:root:36]SSL state:SSLv3/TLS read certificate verify (67.xx.xx.xx)
2024-02-06 10:25:09 [612:root:36]SSL state:SSLv3/TLS read change cipher spec (67.xx.xx.xx)
2024-02-06 10:25:09 [612:root:36]SSL state:SSLv3/TLS read finished (67.xx.xx.xx)
2024-02-06 10:25:09 [612:root:36]SSL state:SSLv3/TLS write session ticket (67.xx.xx.xx)
2024-02-06 10:25:09 [612:root:36]SSL state:SSLv3/TLS write change cipher spec (67.xx.xx.xx)
2024-02-06 10:25:09 [612:root:36]SSL state:SSLv3/TLS write finished (67.xx.xx.xx)
2024-02-06 10:25:09 [612:root:36]SSL state:SSL negotiation finished successfully (67.xx.xx.xx)
2024-02-06 10:25:09 [612:root:36]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
2024-02-06 10:25:09 [612:root:36]req: /remote/saml/login
2024-02-06 10:25:09 [612:root:36]fsv_rmt_saml_login_cb:117 wrong vdom (0:0) or time expired.
2024-02-06 10:25:09 [612:root:36]Destroy sconn 0x7feb099d9800, connSize=0. (root)
2024-02-06 10:25:09 [612:root:36]SSL state:warning close notify (67.xx.xx.xx)

saneeshpv_FTNT · ‎02-06-2024

Hi @pcbron ,

Could you please Run the Diagnotics Tool from the FCT client to gather more data from the FCT.

This will give more clarity of where the problem exists, also you could share the portion of your SAML coniguration from FGT.

The erros says,

wrong vdom (0:0) or time expired

You may check if the request is landing on the right VDOM and also try to increase the remoteauthentication timeout value to something higher than what is configured currently.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SAML-authentication-fails-with-error...

Best Regards,