Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TheUsD
New Contributor III

VM SSL Issue

I am using the Fortigate VM, 6.4.2 evaluation for practice (SSL-VPN is said to be supported with the evaluation license) but the fortigate is not accepting it's own generic cert. I am getting the following errors and not sure why Note: "xxx.xxx.xxx" is the remote Public IP address of the device that is using the FortiClient VPN that is attempting to SSL-VPN in. I have attempted the following: 1) override the MTU to 1500 (there were posts saying even though default is 1500, they had to do this) 2) set ssl-max-proto-ver tls1-0, -1, -2 and -3 3) I have read people changing the algorithm to medium but those were running earlier versions using the following command:  conf ssl settings set algorithm medium   [9165:root:c6]allocSSLConn:298 sconn 0x7ffa57e17a00 (0:root) [9165:root:c6]SSL state:before SSL initialization (xxx.xxx.xxx.xxx) [9165:root:c6]SSL state:before SSL initialization:DH lib(xxx.xxx.xxx.xxx) [9165:root:c6]SSL_accept failed, 5:(null) [9165:root:c6]Destroy sconn 0x7ffa57e17a00, connSize=0. (root) [9165:root:c7]allocSSLConn:298 sconn 0x7ffa57e17a00 (0:root) [9165:root:c7]SSL state:before SSL initialization (xxx.xxx.xxx.xxx) [9165:root:c7]SSL state:before SSL initialization (xxx.xxx.xxx.xxx) [9165:root:c7]client cert requirement: no [9165:root:c7]SSL state:SSLv3/TLS read client hello (xxx.xxx.xxx.xxx) [9165:root:c7]SSL state:SSLv3/TLS write server hello (xxx.xxx.xxx.xxx) [9165:root:c7]SSL state:SSLv3/TLS write certificate (xxx.xxx.xxx.xxx) [9165:root:c7]SSL state:SSLv3/TLS write key exchange (xxx.xxx.xxx.xxx) [9165:root:c7]SSL state:SSLv3/TLS write server done (xxx.xxx.xxx.xxx) [9165:root:c7]SSL state:SSLv3/TLS write server done:system lib(xxx.xxx.xxx.xxx) [9165:root:c7]SSL state:SSLv3/TLS write server done:DH lib(xxx.xxx.xxx.xxx) [9165:root:c7]SSL_accept failed, 5:(null) [9165:root:c7]Destroy sconn 0x7ffa57e17a00, connSize=0. (root) Thanks in advance!

4 REPLIES 4
boneyard
Valued Contributor

in general SSL is almost not or even not supported on the 14 day evaluation license.

 

when i spin one up i against best practice just enable HTTP for management. trying to get HTTPS working is near impossible, if at all it uses a silly low setting which no browser will accept.

 

SSLVPN requires HTTPS, so it might be there config wise but i expect you wont get it to work if you can't switch to HTTP instead, which seems not possible.

TheUsD
New Contributor III

Boneyard, While I agree with you that the HTTPS management is not included, documentation from FG does not mention anything with the SSL-VPN. The expectations were laid out pretty clear in their documentation located on their site: "

The FortiGate-VM includes a limited, 15-day evaluation license that supports:

[ul]1 CPU maximum1024 MB memory maximumLow encryption only (no HTTPS administrative access)      <----This is just GUI administrative access. I am not using the portal but instead using FortiClientSecurity protection:[ul]With the built-in signatures that the evaluation license includes, you can use the following features:[ul]IPSAntiVirusIndustrial DB[/ul]The following features do not have built-in signatures:[ul]Security ratingAntispamWeb Filter[/ul][/ul]Features related to FortiGuard access are not available. Go to System > FortiGuard in FortiOS for details.VDOM:[ul]You can enable split-task VDOM in the CLI.You cannot enable multi-VDOM.[/ul][/ul]

Note the following:

[ul]Attempting to upgrade the FortiGate firmware locks the GUI until you upload a full license.The evaluation license does not include technical support. The trial period begins the first time that you start the FortiGate-VM.After the trial license expires, functionality is disabled until you upload a full license file.Features available in the evaluation state may change without prior notice."[/ul]

 

I'm trying not to rule out the SSL-VPN as not useable until there's some definitive proof. :) 

boneyard
Valued Contributor

if you want a definitive answer then Fortinet support is the way to go. you were able to download this so you have access to support right?

 

for reference that document: https://docs.fortinet.com...-vm-evaluation-license

 

doesnt state there is a maximum ammount of firewall policies within the 15 day evaluation and there certainly is. 100% clear and complete documentation is rare.

TheUsD
New Contributor III

Yes, I have access to support but funny (or sadly) enough, when I inquired about this issue with them, they first said it could possibly be a TLS and SSL issue (well duh). Then when I asked them to be more specific, they said "We cannot create a ticket on this eval license and I will need to reach out to my Fortinet Business partner... Let's (FortiGate Support) not take into consideration that my company currently has 9 FortiGates that consist of a mixture of 101Fs and 601Es along with about 20+ 548D-FPOE's lol. Naaa screw my VM, lol no support for you! (me) They couldn't even answer if the SSL-VPN is supported or not 

Labels
Top Kudoed Authors