- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fortigate 100D / 5.2.7 / VPNSSL stop working / use...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate 100D / 5.2.7 / VPNSSL stop working / user(s) unknown
Hello, We are currently running a Forti 100D under 5.2.7 firmware. VPN SSL was correctly working with LDAP users and 2nd factor authentication (FortiToken). Users are in an Active Directory OU (not in "Users" directly) and it is a Forti Group which is used to regroup users firewall side (not an Active Directory Group ; and, of course, not a group of groups that doesn't work) It stops working "suddenly" but configuration is the same and the LDAP test is still successful (with "sAMAccountName" field, etc.). Furthermore, reboot does nothing. I created a local account to test and avoid potential LDAP problem but I still receive : "Permission denied 455" or "Unable to logon to the server. Your user name or password may not be configured properly for this connection. (-12)." Recreate group, portal, etc. does nothing and I didn't see objects named like users like other threads : - https://community.spicewo...ssl_login_unknown_user - https://www.reddit.com/r/...ers_permission_denied/ - https://www.reddit.com/r/...p_authenticating_user/ SSL VPN service is not in conserve mode. Please find below two logs : one with LOCALUSER and one with LDAPUSER. The auth_type is the same (not normal ?) and the LDAP user is not supposed to be with 2nd factors (but it is written "off") I have no more idea ; Hope you will. It seems to be a bug (cf. other threads) but changelog between 5.2.7 and 5.2.11 show nothing significant concerning this case. Kind regards, Nicolas ##### LOCALUSER (portal) ##### [172:root:5]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 [172:root:5]req: /remote/logincheck [172:root:5]rmt_authutil.c:418 no session id in auth info [172:root:5]rmt_authutil.c:639 access failed, uri=[/remote/logincheck],ret=4103, [172:root:5]rmt_logincheck_cb_handler:839 user 'LOCALUSER' has a matched local entry. [172:root:5]sslvpn_auth_check_usrgroup:1702 forming user/group list from policy. [172:root:5]sslvpn_auth_check_usrgroup:1740 got user (3) group (0:0). [172:root:5]sslvpn_validate_user_group_list:1384 validating with SSL VPN authentication rules (1), realm (). [172:root:5]sslvpn_validate_user_group_list:1432 checking rule 1 cipher. [172:root:5]sslvpn_validate_user_group_list:1440 checking rule 1 realm. [172:root:5]sslvpn_validate_user_group_list:1451 checking rule 1 source intf. [172:root:5]sslvpn_validate_user_group_list:1487 checking rule 1 vd source intf. [172:root:5]sslvpn_validate_user_group_list:1552 rule 1 done, got user (0) group (0:0). [172:root:5]sslvpn_validate_user_group_list:1638 got user (3), group (0:0). [172:root:5]two factor check for LOCALUSER: off [172:root:5]sslvpn_authenticate_user:168 authenticate user: [LOCALUSER] [172:root:5]sslvpn_authenticate_user:175 create fam state [172:root:5]fam_auth_send_req:514 with server blacklist: [172:root:5]fam_auth_send_req:592 clear local user flag and do authentication again. [172:root:5]fam_auth_send_req:514 with server blacklist: [172:root:5]fam_auth_send_req:601 task finished with 5 [172:root:5]rmt_logincheck.c:250 user[LOCALUSER],auth_type=0 failed [sslvpn_login_unknown_user] ssl_scache_remove:unusably short session_id provided (0 bytes) [172:root:5]req: /remote/login?&err=sslvpn_login_permission_denied&lang=en [172:root:5]rmt_authutil.c:418 no session id in auth info [172:root:5]rmt_authutil.c:701 invalid cache, ret=4103 [172:root:5]rmt_websession.c:146 locked: i=0,host=192.168.101.187 [172:root:5]req: /sslvpn/css/ssl_style.css [172:root:5]mza: 0x1df2070 /sslvpn/css/ssl_style.css [173:root:5]allocSSLConn:245 sconn 0x2a9905dc00 (0:root) ##### LDAPUSER (FortiClient) ##### [172:root:6]SSL established: TLSv1.2 ECDHE-RSA-AES256-SHA384 [172:root:6]req: /remote/info [172:root:6]def: (nil) /remote/info [172:root:6]req: /remote/login [172:root:6]rmt_authutil.c:418 no session id in auth info [172:root:6]rmt_authutil.c:701 invalid cache, ret=4103 [172:root:6]req: /remote/logincheck [172:root:6]rmt_authutil.c:418 no session id in auth info [172:root:6]rmt_authutil.c:639 access failed, uri=[/remote/logincheck],ret=4103, [172:root:6]rmt_logincheck_cb_handler:839 user 'LDAPUSER' has a matched local entry. [172:root:6]sslvpn_auth_check_usrgroup:1702 forming user/group list from policy. [172:root:6]sslvpn_auth_check_usrgroup:1740 got user (3) group (0:0). [172:root:6]sslvpn_validate_user_group_list:1384 validating with SSL VPN authentication rules (1), realm (). [172:root:6]sslvpn_validate_user_group_list:1432 checking rule 1 cipher. [172:root:6]sslvpn_validate_user_group_list:1440 checking rule 1 realm. [172:root:6]sslvpn_validate_user_group_list:1451 checking rule 1 source intf. [172:root:6]sslvpn_validate_user_group_list:1487 checking rule 1 vd source intf. [172:root:6]sslvpn_validate_user_group_list:1552 rule 1 done, got user (0) group (0:0). [172:root:6]sslvpn_validate_user_group_list:1638 got user (3), group (0:0). [172:root:6]two factor check for LDAPUSER: off [172:root:6]sslvpn_authenticate_user:168 authenticate user: [LDAPUSER] [172:root:6]sslvpn_authenticate_user:175 create fam state [172:root:6]fam_auth_send_req:514 with server blacklist: [172:root:6]fam_auth_send_req:592 clear local user flag and do authentication again. [172:root:6]fam_auth_send_req:514 with server blacklist: [172:root:6]fam_auth_send_req:601 task finished with 5 [172:root:6]rmt_logincheck.c:250 user[LDAPUSER],auth_type=0 failed [sslvpn_login_unknown_user] [172:root:0]rmt_websession.c:77 status=1;host=192.168.101.212;fails=1;logintime=1503395821 [172:root:6]rmt_authutil.c:418 no session id in auth info [172:root:6]rmt_authutil.c:701 invalid cache, ret=4103 [172:root:6]req: /FortiClientSslvpnClearCacheUrl/for/WininetLibrary/1/2/3/4/5/6/7/8/9/0/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t [172:root:6]def: (nil) /FortiClientSslvpnClearCacheUrl/for/WininetLibrary/1/2/3/4/5/6/7/8/9/0/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having the same issue, and ending with the same logging messages. Did you ever got this issue resolve? I'm also thinking about a bug. It is not a consistant behavior.
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are still interested in this, I found out a solution, basically the problem was that the user had a pending password change, it seems the the account was partially locked.
When resetting the AD password I unmarked the "force changing password on next login" and the sslvpn started working right away.
Othere reasons for the -12 error might be wrong password or inexistant account (but you already checked on those)
Related Posts
- Hub-Spoke With Redundant Tunnels 75 Views
- Public Key login not working on... 96 Views
- Policy based routing to IPsec tunnel 142 Views
- FortiClient 7.2 - will not connect... 537 Views
- How to Migrate VLANs to Virtual... 256 Views
Labels
-
FortiGate
6,458 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.