- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SOLVED SSLVPN : Error logon -12 auth_type=16 faile...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SOLVED SSLVPN : Error logon -12 auth_type=16 failed [sslvpn_login_permission_denied]
Hello all,
We have severals vpnssl and clients connect with forticleint SSLPVN.
I created a new VPNSSL but i can't connect, logon denied.
Fortigate 100D v5.2.4,build688 (GA)
What i've done :
Creation of a new group in ActiveDirectory, i put some users in member.
creation of a new group in forti and map it with AD
Creation of a new address scope for VPN
Creation and configuration of a new portal SSL
Creation of policies for this VPN.
I'm pretty sur i've missed something but what...
diag debug sslvpn :
[94:root:1729]allocSSLConn:245 sconn 0x2a98d1b000 (0:root)
[94:root:1729]SSL state:before/accept initialization (xx.xx.xx.xx)
[94:root:1729]SSL_accept returned 0.
[94:root:1729]Destroy sconn 0x2a98d1b000, connSize=3. (root)
[95:root:1728]allocSSLConn:245 sconn 0x2a98c61c00 (0:root)
[95:root:1728]SSL state:before/accept initialization (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 read client hello A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 write server hello A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 write certificate A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 write key exchange A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 write server done A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 flush data (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 read client certificate A:system lib(xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 read client certificate A:system lib(xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 read client key exchange A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 read certificate verify A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 read finished A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 write change cipher spec A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 write finished A (xx.xx.xx.xx)
[95:root:1728]SSL state:SSLv3 flush data (xx.xx.xx.xx)
[95:root:1728]SSL state:SSL negotiation finished successfully (xx.xx.xx.xx)
[95:root:1728]SSL established: TLSv1.2 ECDHE-RSA-AES256-SHA384
[95:root:1728]req: /remote/login
[95:root:1728]rmt_authutil.c:418 no session id in auth info
[95:root:1728]rmt_authutil.c:701 invalid cache, ret=4103
[95:root:1728]req: /remote/logincheck
[95:root:1728]rmt_authutil.c:418 no session id in auth info
[95:root:1728]rmt_authutil.c:639 access failed, uri=[/remote/logincheck],ret=4103,
[95:root:1728]sslvpn_auth_check_usrgroup:1702 forming user/group list from policy.
[95:root:1728]sslvpn_auth_check_usrgroup:1740 got user (1) group (3:0).
[95:root:1728]sslvpn_validate_user_group_list:1384 validating with SSL VPN authentication rules (7), realm ().
[95:root:1728]sslvpn_validate_user_group_list:1432 checking rule 1 cipher.
[95:root:1728]sslvpn_validate_user_group_list:1440 checking rule 1 realm.
[95:root:1728]sslvpn_validate_user_group_list:1451 checking rule 1 source intf.
[95:root:1728]sslvpn_validate_user_group_list:1472 checking rule 1 source address.
[95:root:1728]sslvpn_validate_user_group_list:1552 rule 1 done, got user (0) group (1:0).
[95:root:1728]sslvpn_validate_user_group_list:1432 checking rule 2 cipher.
[95:root:1728]sslvpn_validate_user_group_list:1440 checking rule 2 realm.
[95:root:1728]sslvpn_validate_user_group_list:1451 checking rule 2 source intf.
[95:root:1728]sslvpn_validate_user_group_list:1472 checking rule 2 source address.
[95:root:1728]sslvpn_validate_user_group_list:1552 rule 2 done, got user (0) group (2:0).
[95:root:1728]sslvpn_validate_user_group_list:1432 checking rule 3 cipher.
[95:root:1728]sslvpn_validate_user_group_list:1440 checking rule 3 realm.
[95:root:1728]sslvpn_validate_user_group_list:1451 checking rule 3 source intf.
[95:root:1728]sslvpn_validate_user_group_list:1472 checking rule 3 source address.
[95:root:1728]sslvpn_validate_user_group_list:1552 rule 3 done, got user (0) group (3:0).
[95:root:1728]sslvpn_validate_user_group_list:1432 checking rule 4 cipher.
[95:root:1728]sslvpn_validate_user_group_list:1440 checking rule 4 realm.
[95:root:1728]sslvpn_validate_user_group_list:1451 checking rule 4 source intf.
[95:root:1728]sslvpn_validate_user_group_list:1472 checking rule 4 source address.
[95:root:1728]sslvpn_validate_user_group_list:1552 rule 4 done, got user (1) group (3:0).
[95:root:1728]sslvpn_validate_user_group_list:1432 checking rule 5 cipher.
[95:root:1728]sslvpn_validate_user_group_list:1440 checking rule 5 realm.
[95:root:1728]sslvpn_validate_user_group_list:1451 checking rule 5 source intf.
[95:root:1728]sslvpn_validate_user_group_list:1472 checking rule 5 source address.
[95:root:1728]sslvpn_validate_user_group_list:1432 checking rule 6 cipher.
[95:root:1728]sslvpn_validate_user_group_list:1440 checking rule 6 realm.
[95:root:1728]sslvpn_validate_user_group_list:1451 checking rule 6 source intf.
[95:root:1728]sslvpn_validate_user_group_list:1472 checking rule 6 source address.
[95:root:1728]sslvpn_validate_user_group_list:1432 checking rule 7 cipher.
[95:root:1728]sslvpn_validate_user_group_list:1440 checking rule 7 realm.
[95:root:1728]sslvpn_validate_user_group_list:1451 checking rule 7 source intf.
[95:root:1728]sslvpn_validate_user_group_list:1472 checking rule 7 source address.
[95:root:1728]sslvpn_validate_user_group_list:1638 got user (1), group (3:0).
[95:root:1728]two factor check for xxxx: off
[95:root:1728]sslvpn_authenticate_user:168 authenticate user: [xxxx]
[95:root:1728]sslvpn_authenticate_user:175 create fam state
[95:root:1728]fam_auth_send_req:514 with server blacklist:
[95:root:1728]fam_auth_send_req_internal:414 fnbam_auth return: 4
[95:root:1728]Auth failed due to group restrictions
[95:root:1728]rmt_logincheck.c:250 user[xxxx],auth_type=16 failed [sslvpn_login_permission_denied]
[95:root:0]rmt_websession.c:77 status=1;host=xx.xx.xx.xx;fails=1;logintime=1443692633
[95:root:1728]rmt_authutil.c:418 no session id in auth info
[95:root:1728]rmt_authutil.c:701 invalid cache, ret=4103
[95:root:1728]req: /
[95:root:1728]mza: 0x1de8980 /rmt_index.html
[95:root:1728]def: 0x1de8980 /rmt_index.html
[95:root:1728]req: /remote/index
[95:root:1728]def: (nil) /remote/index
[95:root:1728]req: /remote/fortisslvpn
[95:root:1728]rmt_authutil.c:418 no session id in auth info
[95:root:1728]rmt_authutil.c:639 access failed, uri=[/remote/fortisslvpn],ret=4103,
[95:root:1728]req: /remote/login
[95:root:1728]rmt_authutil.c:418 no session id in auth info
[95:root:1728]rmt_authutil.c:701 invalid cache, ret=4103
[95:root:1728]Timeout for connection 0x2a98c61c00.
[95:root:1728]Destroy sconn 0x2a98c61c00, connSize=1. (root)
Thank you.
Regards,
Alex.
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I answer to my post.
It's ok now.
In policies, i had to enter VPN groups in users section.
Related Posts
- CLI Script delete Groupmembers 43 Views
- FAZ 200F SSL VPN login fail... 39 Views
- SSLVPN login fails before 7AM EDT 98 Views
- Fortigate 60d boot device failing 129 Views
- Physical AP error on deleting WLAN... 100 Views
Labels
-
FortiGate
6,489 -
FortiClient
1,294 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
331 -
FortiClient EMS
260 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
57 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
18 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.