Hot!Fortigate 100D / 5.2.7 / VPNSSL stop working / user(s) unknown

Author
NR42
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/22 05:29:29
  • Status: offline
2017/08/22 08:13:58 (permalink)
0

Fortigate 100D / 5.2.7 / VPNSSL stop working / user(s) unknown

Hello,

We are currently running a Forti 100D under 5.2.7 firmware.

VPN SSL was correctly working with LDAP users and 2nd factor authentication (FortiToken).
Users are in an Active Directory OU (not in "Users" directly) and it is a Forti Group which is used to regroup users firewall side (not an Active Directory Group ; and, of course, not a group of groups that doesn't work)

It stops working "suddenly" but configuration is the same and the LDAP test is still successful (with "sAMAccountName" field, etc.). Furthermore, reboot does nothing.

I created a local account to test and avoid potential LDAP problem but I still receive : "Permission denied 455" or "Unable to logon to the server. Your user name or password may not be configured properly for this connection. (-12)."

Recreate group, portal, etc. does nothing and I didn't see objects named like users like other threads :
- https://community.spicewo...ssl_login_unknown_user
- https://www.reddit.com/r/...ers_permission_denied/
- https://www.reddit.com/r/...p_authenticating_user/

SSL VPN service is not in conserve mode.

Please find below two logs : one with LOCALUSER and one with LDAPUSER.
The auth_type is the same (not normal ?) and the LDAP user is not supposed to be with 2nd factors (but it is written "off")

I have no more idea ; Hope you will.
It seems to be a bug (cf. other threads) but changelog between 5.2.7 and 5.2.11 show nothing significant concerning this case.

Kind regards,
Nicolas

##### LOCALUSER (portal) #####
[172:root:5]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[172:root:5]req: /remote/logincheck
[172:root:5]rmt_authutil.c:418 no session id in auth info
[172:root:5]rmt_authutil.c:639 access failed, uri=[/remote/logincheck],ret=4103,
[172:root:5]rmt_logincheck_cb_handler:839 user 'LOCALUSER' has a matched local entry.
[172:root:5]sslvpn_auth_check_usrgroup:1702 forming user/group list from policy.
[172:root:5]sslvpn_auth_check_usrgroup:1740 got user (3) group (0:0).
[172:root:5]sslvpn_validate_user_group_list:1384 validating with SSL VPN authentication rules (1), realm ().
[172:root:5]sslvpn_validate_user_group_list:1432 checking rule 1 cipher.
[172:root:5]sslvpn_validate_user_group_list:1440 checking rule 1 realm.
[172:root:5]sslvpn_validate_user_group_list:1451 checking rule 1 source intf.
[172:root:5]sslvpn_validate_user_group_list:1487 checking rule 1 vd source intf.
[172:root:5]sslvpn_validate_user_group_list:1552 rule 1 done, got user (0) group (0:0).
[172:root:5]sslvpn_validate_user_group_list:1638 got user (3), group (0:0).
[172:root:5]two factor check for LOCALUSER: off
[172:root:5]sslvpn_authenticate_user:168 authenticate user: [LOCALUSER]
[172:root:5]sslvpn_authenticate_user:175 create fam state
[172:root:5]fam_auth_send_req:514 with server blacklist:
[172:root:5]fam_auth_send_req:592 clear local user flag and do authentication again.
[172:root:5]fam_auth_send_req:514 with server blacklist:
[172:root:5]fam_auth_send_req:601 task finished with 5
[172:root:5]rmt_logincheck.c:250 user[LOCALUSER],auth_type=0 failed [sslvpn_login_unknown_user]
ssl_scache_remove:unusably short session_id provided (0 bytes)
[172:root:5]req: /remote/login?&err=sslvpn_login_permission_denied&lang=en
[172:root:5]rmt_authutil.c:418 no session id in auth info
[172:root:5]rmt_authutil.c:701 invalid cache, ret=4103
[172:root:5]rmt_websession.c:146 locked: i=0,host=192.168.101.187
[172:root:5]req: /sslvpn/css/ssl_style.css
[172:root:5]mza: 0x1df2070 /sslvpn/css/ssl_style.css
[173:root:5]allocSSLConn:245 sconn 0x2a9905dc00 (0:root)

##### LDAPUSER (FortiClient) #####
[172:root:6]SSL established: TLSv1.2 ECDHE-RSA-AES256-SHA384
[172:root:6]req: /remote/info
[172:root:6]def: (nil) /remote/info
[172:root:6]req: /remote/login
[172:root:6]rmt_authutil.c:418 no session id in auth info
[172:root:6]rmt_authutil.c:701 invalid cache, ret=4103
[172:root:6]req: /remote/logincheck
[172:root:6]rmt_authutil.c:418 no session id in auth info
[172:root:6]rmt_authutil.c:639 access failed, uri=[/remote/logincheck],ret=4103,
[172:root:6]rmt_logincheck_cb_handler:839 user 'LDAPUSER' has a matched local entry.
[172:root:6]sslvpn_auth_check_usrgroup:1702 forming user/group list from policy.
[172:root:6]sslvpn_auth_check_usrgroup:1740 got user (3) group (0:0).
[172:root:6]sslvpn_validate_user_group_list:1384 validating with SSL VPN authentication rules (1), realm ().
[172:root:6]sslvpn_validate_user_group_list:1432 checking rule 1 cipher.
[172:root:6]sslvpn_validate_user_group_list:1440 checking rule 1 realm.
[172:root:6]sslvpn_validate_user_group_list:1451 checking rule 1 source intf.
[172:root:6]sslvpn_validate_user_group_list:1487 checking rule 1 vd source intf.
[172:root:6]sslvpn_validate_user_group_list:1552 rule 1 done, got user (0) group (0:0).
[172:root:6]sslvpn_validate_user_group_list:1638 got user (3), group (0:0).
[172:root:6]two factor check for LDAPUSER: off
[172:root:6]sslvpn_authenticate_user:168 authenticate user: [LDAPUSER]
[172:root:6]sslvpn_authenticate_user:175 create fam state
[172:root:6]fam_auth_send_req:514 with server blacklist:
[172:root:6]fam_auth_send_req:592 clear local user flag and do authentication again.
[172:root:6]fam_auth_send_req:514 with server blacklist:
[172:root:6]fam_auth_send_req:601 task finished with 5
[172:root:6]rmt_logincheck.c:250 user[LDAPUSER],auth_type=0 failed [sslvpn_login_unknown_user]
[172:root:0]rmt_websession.c:77 status=1;host=192.168.101.212;fails=1;logintime=1503395821
[172:root:6]rmt_authutil.c:418 no session id in auth info
[172:root:6]rmt_authutil.c:701 invalid cache, ret=4103
[172:root:6]req: /FortiClientSslvpnClearCacheUrl/for/WininetLibrary/1/2/3/4/5/6/7/8/9/0/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t
[172:root:6]def: (nil) /FortiClientSslvpnClearCacheUrl/for/WininetLibrary/1/2/3/4/5/6/7/8/9/0/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t



#1

2 Replies Related Threads

    Guillaume_NM
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/07/11 06:56:25
    • Status: offline
    Re: Fortigate 100D / 5.2.7 / VPNSSL stop working / user(s) unknown 2018/07/11 06:58:27 (permalink)
    0
    I'm having the same issue, and ending with the same logging messages. Did you ever got this issue resolve? I'm also thinking about a bug. It is not a consistant behavior.
     
    Regards,
    #2
    aseques
    Silver Member
    • Total Posts : 70
    • Scores: 2
    • Reward points: 0
    • Joined: 2014/09/15 02:22:12
    • Status: offline
    Re: Fortigate 100D / 5.2.7 / VPNSSL stop working / user(s) unknown 2018/08/21 00:01:03 (permalink)
    0
    If you are still interested in this, I found out a solution, basically the problem was that the user had a pending password change, it seems the the account was partially locked.
    When resetting the AD password I unmarked the "force changing password on next login" and the sslvpn started working right away.
    Othere reasons for the -12 error might be wrong password or inexistant account (but you already checked on those)
    #3
    Jump to:
    © 2018 APG vNext Commercial Version 5.5