Hello all,
We have severals vpnssl and clients connect with forticleint SSLPVN.
I created a new VPNSSL but i can't connect, logon denied.
Fortigate 100D v5.2.4,build688 (GA)
What i've done :
Creation of a new group in ActiveDirectory, i put some users in member.
creation of a new group in forti and map it with AD
Creation of a new address scope for VPN
Creation and configuration of a new portal SSL
Creation of policies for this VPN.
I'm pretty sur i've missed something but what...
diag debug sslvpn :
[94:root:1729]allocSSLConn:245 sconn 0x2a98d1b000 (0:root)
[94:root:1729]SSL state:before/accept initialization (xx.xx.xx.xx)
[94:root:1729]SSL_accept returned 0.
[94:root:1729]Destroy sconn 0x2a98d1b000, connSize=3. (root)
[95:root:1728]allocSSLConn:245 sconn 0x2a98c61c00 (0:root)
[95:root:1728]SSL state:before/accept initialization (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 read client hello A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 write server hello A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 write certificate A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 write key exchange A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 write server done A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 flush data (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 read client certificate A:system lib(xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 read client certificate A:system lib(xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 read client key exchange A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 read certificate verify A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 read finished A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 write change cipher spec A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 write finished A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 flush data (xx.xx.xx.xx)
[95:root:1728]SSL state:SSL negotiation finished successfully (xx.xx.xx.xx)
[95:root:1728]SSL established: TLSv1.2 ECDHE-RSA-AES256-SHA384
[95:root:1728]req: /remote/login
[95:root:1728]rmt_authutil.c:418 no session id in auth info
[95:root:1728]rmt_authutil.c:701 invalid cache, ret=4103
[95:root:1728]req: /remote/logincheck
[95:root:1728]rmt_authutil.c:418 no session id in auth info
[95:root:1728]rmt_authutil.c:639 access failed, uri=[/remote/logincheck],ret=4103,
[95:root:1728]sslvpn_auth_check_usrgroup:1702 forming user/group list from policy.
[95:root:1728]sslvpn_auth_check_usrgroup:1740 got user (1) group (3:0).
[95:root:1728]sslvpn_validate_user_group_list:1384 validating with SSL VPN authentication rules (7), realm ().
[95:root:1728]sslvpn_validate_user_group_list:1432 checking rule 1 cipher.
[95:root:1728]sslvpn_validate_user_group_list:1440 checking rule 1 realm.
[95:root:1728]sslvpn_validate_user_group_list:1451 checking rule 1 source intf.
[95:root:1728]sslvpn_validate_user_group_list:1472 checking rule 1 source address.
[95:root:1728]sslvpn_validate_user_group_list:1552 rule 1 done, got user (0) group (1:0).
[95:root:1728]sslvpn_validate_user_group_list:1432 checking rule 2 cipher.
[95:root:1728]sslvpn_validate_user_group_list:1440 checking rule 2 realm.
[95:root:1728]sslvpn_validate_user_group_list:1451 checking rule 2 source intf.
[95:root:1728]sslvpn_validate_user_group_list:1472 checking rule 2 source address.
[95:root:1728]sslvpn_validate_user_group_list:1552 rule 2 done, got user (0) group (2:0).
[95:root:1728]sslvpn_validate_user_group_list:1432 checking rule 3 cipher.
[95:root:1728]sslvpn_validate_user_group_list:1440 checking rule 3 realm.
[95:root:1728]sslvpn_validate_user_group_list:1451 checking rule 3 source intf.
[95:root:1728]sslvpn_validate_user_group_list:1472 checking rule 3 source address.
[95:root:1728]sslvpn_validate_user_group_list:1552 rule 3 done, got user (0) group (3:0).
[95:root:1728]sslvpn_validate_user_group_list:1432 checking rule 4 cipher.
[95:root:1728]sslvpn_validate_user_group_list:1440 checking rule 4 realm.
[95:root:1728]sslvpn_validate_user_group_list:1451 checking rule 4 source intf.
[95:root:1728]sslvpn_validate_user_group_list:1472 checking rule 4 source address.
[95:root:1728]sslvpn_validate_user_group_list:1552 rule 4 done, got user (1) group (3:0).
[95:root:1728]sslvpn_validate_user_group_list:1432 checking rule 5 cipher.
[95:root:1728]sslvpn_validate_user_group_list:1440 checking rule 5 realm.
[95:root:1728]sslvpn_validate_user_group_list:1451 checking rule 5 source intf.
[95:root:1728]sslvpn_validate_user_group_list:1472 checking rule 5 source address.
[95:root:1728]sslvpn_validate_user_group_list:1432 checking rule 6 cipher.
[95:root:1728]sslvpn_validate_user_group_list:1440 checking rule 6 realm.
[95:root:1728]sslvpn_validate_user_group_list:1451 checking rule 6 source intf.
[95:root:1728]sslvpn_validate_user_group_list:1472 checking rule 6 source address.
[95:root:1728]sslvpn_validate_user_group_list:1432 checking rule 7 cipher.
[95:root:1728]sslvpn_validate_user_group_list:1440 checking rule 7 realm.
[95:root:1728]sslvpn_validate_user_group_list:1451 checking rule 7 source intf.
[95:root:1728]sslvpn_validate_user_group_list:1472 checking rule 7 source address.
[95:root:1728]sslvpn_validate_user_group_list:1638 got user (1), group (3:0).
[95:root:1728]two factor check for xxxx: off
[95:root:1728]sslvpn_authenticate_user:168 authenticate user: [xxxx]
[95:root:1728]sslvpn_authenticate_user:175 create fam state
[95:root:1728]fam_auth_send_req:514 with server blacklist:
[95:root:1728]fam_auth_send_req_internal:414 fnbam_auth return: 4
[95:root:1728]Auth failed due to group restrictions
[95:root:1728]rmt_logincheck.c:250 user[xxxx],auth_type=16 failed [sslvpn_login_permission_denied]
[95:root:0]rmt_websession.c:77 status=1;host=xx.xx.xx.xx;fails=1;logintime=1443692633
[95:root:1728]rmt_authutil.c:418 no session id in auth info
[95:root:1728]rmt_authutil.c:701 invalid cache, ret=4103
[95:root:1728]req: /
[95:root:1728]mza: 0x1de8980 /rmt_index.html
[95:root:1728]def: 0x1de8980 /rmt_index.html
[95:root:1728]req: /remote/index
[95:root:1728]def: (nil) /remote/index
[95:root:1728]req: /remote/fortisslvpn
[95:root:1728]rmt_authutil.c:418 no session id in auth info
[95:root:1728]rmt_authutil.c:639 access failed, uri=[/remote/fortisslvpn],ret=4103,
[95:root:1728]req: /remote/login
[95:root:1728]rmt_authutil.c:418 no session id in auth info
[95:root:1728]rmt_authutil.c:701 invalid cache, ret=4103
[95:root:1728]Timeout for connection 0x2a98c61c00.
[95:root:1728]Destroy sconn 0x2a98c61c00, connSize=1. (root)
Thank you.
Regards,
Alex.
I answer to my post.
It's ok now.
In policies, i had to enter VPN groups in users section.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.