Description
This article describes troubleshooting steps when the SSL alert log message 'bad record mac' displays on the FortiGate.
Scope
All FortiOS users.
Solution
The following log may be seen when an SSL dialer is failing to connect:
Log Number 27
Last Activity 2011-02-01 09:00:41
VDom VD-CJG
Level error
Subtype sslvpn-session
Timestamp 2011-02-01 09:00:14
Log ID 39944
Device ID FG3K8A3408600328
Cluster ID FG3K8A3408600069_CID
Tunnel Type ssl
Tunnel Action
Remote IP 1.1.1.1
Tunnel IP 0.0.0.0
Alert fatal
Description bad record mac |
Troubleshoot this issue as follows:
1. Open an SSH session to the FortiGate and collect the following debug from the CLI.
diagnose debug console timestamp enable
diag debug app sslvpn -1
diag debug enable |
sslvpn debug can show below error message:
2022-06-21 13:26:20 [30569:root:7]SSL state:fatal bad record mac (81.43.106.186)
2022-06-21 13:26:20 [30569:root:0]ap_read,109, error=1, errno=0 ssl 0x34060000 Success. error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac
2. Open a second SSH session to the FortiGate and collect the following debug from the CLI.
| diag sniffer packet any 'port <SSL vpn port>' 6 0 a |
3. To check whether the error is linked to the CP6 chip (SSL-based computation is performed by the CP for SSL), disable hardware acceleration on the CLI.
|
diagnose vpn ssl hw-acceleration-status
# config system global
set sslvpn-cipher-hardware-acceleration disable
set sslvpn-kxp-hardware-acceleration disable
end
|
