Hot!SSL VPN Web Portal Access Issue

Author
Chet
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/11/14 19:30:49
  • Status: offline
2017/11/24 09:04:35 (permalink) 5.4
0

SSL VPN Web Portal Access Issue

New to Fortinet.  Trying to get our new Fortigate 60E (5.4.6) setup and tested before putting it into production.  Everything seems to be working except for web based SSL VPN access to an internal web server.  I can get to it if I connect with the FortiClient.
 
- When trying to connect to the Fortigate admin console I get "Secure Connection Failed".  (Not sure if you can connect to the admin console that is providing the VPN)
- When trying to connect to the admin console of a wifi access point, I never get a response.  It is waiting forever. Partial debug logs below:
[15718:root:0]ap_write,203, error=Broken pipe.
[15718:root:17f]Destroy sconn 0x546d9300, connSize=1. (root)
[15718:root:181]SSL state:warning close notify (192.168.99.108)
[15718:root:181]sslConnGotoNextState:299 error (last state: 1, closeOp: 0)
[15718:root:181]Destroy sconn 0x546d9c00, connSize=0. (root)
[15719:root:181]allocSSLConn:276 sconn 0x54647c00 (0:root)
[15719:root:181]SSL state:before/accept initialization (192.168.99.108)
[15719:root:181]SSL state:SSLv3 read client hello A (192.168.99.108)
[15719:root:181]SSL state:SSLv3 write server hello A (192.168.99.108)
[15719:root:181]SSL state:SSLv3 write certificate A (192.168.99.108)
[15719:root:181]SSL state:SSLv3 write key exchange A (192.168.99.108)
[15719:root:181]SSL state:SSLv3 write server done A (192.168.99.108)
[15719:root:181]SSL state:SSLv3 flush data (192.168.99.108)
[15719:root:181]SSL state:SSLv3 read client certificate A (192.168.99.108)
[15719:root:181]SSL state:SSLv3 read client key exchange A:system lib(192.168.99.108)
[15719:root:181]SSL state:SSLv3 read client key exchange A:system lib(192.168.99.108)
[15719:root:181]SSL state:SSLv3 read client key exchange A (192.168.99.108)
[15719:root:181]SSL state:SSLv3 read certificate verify A (192.168.99.108)
[15719:root:181]SSL state:SSLv3 read finished A (192.168.99.108)
[15719:root:181]SSL state:SSLv3 write session ticket A (192.168.99.108)
[15719:root:181]SSL state:SSLv3 write change cipher spec A (192.168.99.108)
[15719:root:181]SSL state:SSLv3 write finished A (192.168.99.108)
[15719:root:181]SSL state:SSLv3 flush data (192.168.99.108)
[15719:root:181]SSL state:SSL negotiation finished successfully (192.168.99.108)
[15719:root:181]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[15719:root:181]req: /remote/portal?action=2
[15719:root:181]deconstruct_session_id:363 decode session id ok, user=[chet],group=[SSL-VPN-users],portal=[full-access],host=[192.168.99.108],realm=[],idx=0,auth=1,sid=6b6a71f5, login=1511541944, access=1511541944
[15719:root:181]deconstruct_session_id:363 decode session id ok, user=[chet],group=[SSL-VPN-users],portal=[full-access],host=[192.168.99.108],realm=[],idx=0,auth=1,sid=6b6a71f5, login=1511541944, access=1511541944
Any troubleshooting help would be appreciated.
#1
Chet
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/11/14 19:30:49
  • Status: offline
Re: SSL VPN Web Portal Access Issue 2017/12/01 21:35:28 (permalink)
0
The issue seems to be with the tests I was trying to run.  After setting up a different test server, it appears to be working as expected.
#2
DirkDuesentrieb
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/09/14 01:30:14
  • Status: offline
Re: SSL VPN Web Portal Access Issue 2017/12/15 01:28:27 (permalink)
0
This looks like an issue I have. If you have some minutes for troubleshooting please do this:
Create a packet dump, open it in wireshark and check if you see this:
  • Client Hello
    Nothing interesting here
  • Server Hello 
    please check the Cipher Suite in this response, eg TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • Server Hello Done
    Nothing interesting here
  • Client Key Exchange
    Nothing interesting here
  • Fatal Error
    I can see "Bad Record MAC" here
In your debug you have "SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384" if this doesn't match the cipher in the Server Hello you hit the same issue - the crypto of the Fortigate is broken!
 
To create pcaps on the 60E you can use this.
 
Cheers,
Dirk 
#3
emnoc
Expert Member
  • Total Posts : 4897
  • Scores: 300
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: SSL VPN Web Portal Access Issue 2017/12/15 07:50:31 (permalink)
0
Is your problem  webportal access or tunnel-mode  forticlient? 
or
 
is it the unit "admin access"
 
 
You need to bind the management to a different port number
 
e.g
 
 
https://x.x.x.x:8443
https://x.x.x.x:444
 
 
config sys gllobal
    set admin-sport 8443
end
 
Make sure the port is NOT in use by other process
 
So your  diag debug app sslvpn  -1 while accessing the VPN or tunnel show your authenticate. So I won't worrying about the SSLVPN
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#4
pat.wei
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/04/07 02:17:03
  • Status: offline
Re: SSL VPN Web Portal Access Issue 2018/01/12 07:01:40 (permalink)
0
I run into this issue with 61E and 5.4.7 any internal https page with SSL-VPN Web mode fails.
 
Capture shows TLS alert bad record MAC.
 
All http pages work, ping works etc. from Quick Connect. But no https.
 
 
#5
pat.wei
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/04/07 02:17:03
  • Status: offline
Re: SSL VPN Web Portal Access Issue 2018/01/12 07:07:18 (permalink)
0
hi Dirk,
 
Thanks for the explanation, I hope not that the crypto is broken ;))
 
Actually, when I do  diag debug application sslvpn -1, I do not see the SSL messages related to the backend connection, only the connection from the client to the fortigate, so I don't know how you could from that data conclude that it is broken? The client to the fortigate and the fortigate to the internal page must not use the same TLS ciphersuite, but I don't know how I could troubleshoot. Have a ticket with Fortinet, but it takes time for them to build my environment and test.
 
 
PS: I did use your tool but when I copy paste the full output it only has 1 packet in pcap.
 
Still using fgt2eth.exe (the one that works, many seem not to work:
 
post edited by pat.wei - 2018/01/12 07:27:57
#6
DirkDuesentrieb
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/09/14 01:30:14
  • Status: offline
Re: SSL VPN Web Portal Access Issue 2018/01/15 04:29:00 (permalink)
0
Another "E-Model" - that's interesting. Maybe it is an issue in the NP6lite, D-Models seem to work. Is it possible to disable the crypto acceleration? No standard npu commands seem to work.
 
Dirk
#7
Jump to:
© 2018 APG vNext Commercial Version 5.5