Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
js2
Staff
Staff

Created on ‎03-31-2021 07:37 AM

Article Id 193817

Technical Tip: FortiClient SSLVPN gets struck at 80%

Description
This article describes a scenario where SSLVPN MAC based host check was configured.

Eventhough the MAC address was allowed in the rule the VPN gets struck at 80%.

Solution
Error obtained:
Unable to establish the VPN Connection. The VPN Server maybe Unavailable (-14)
Debug observed:
[229:root:38a]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[229:root:38a]req: /remote/logincheck
[229:root:38a]rmt_web_auth_info_parser_common:470 no session id in auth info
[229:root:38a]rmt_web_access_check:723 access failed, uri=[/remote/logincheck],ret=4103,
[229:root:38a]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[229:root:38a]rmt_logincheck_cb_handler:1189 user 'test' has a matched local entry.
[229:root:38a]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy.
[229:root:38a]sslvpn_authenticate_user:191 authenticate user: [test]
[229:root:38a]sslvpn_authenticate_user:198 create fam state
local auth is done with user 'test', ret=0
[229:root:38a]fam_auth_send_req_internal:461 fnbam_auth return: 0
[229:root:38a]fam_auth_send_req_internal:470 authentication OK
[229:root:38a]fam_do_cb:654 fnbamd return auth success.
[229:root:38a]SSL VPN login matched rule (1).
[229:root:38a]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[229:root:38a]rmt_web_session_create:781 create web session, idx[3]
[229:root:38a]login_succeeded:523 redirect to hostcheck      >>> redirection to host check happens and session is getting disconnected
[229:root:38a]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[229:root:38a]deconstruct_session_id:426 decode session id ok, user=[test],group=[Developers],authserver=[],portal=[full-access],host=[117.194.164.191],realm=[],idx=3,auth=1,sid=192c3652,login=1617175942,access=1617175942,saml_logout_url=no
[230:root:389]sslvpn_read_request_common,648, ret=-1 error=-1, sconn=0x33a6d280.
[230:root:389]Destroy sconn 0x33a6d280, connSize=2. (root)
Solution:

On downgrading to FortiClient version 6.0 was able to connect to VPN successfully.
The root cause was the FortiClient license issue .

SSL VPN MAC Host Check Configuration does not work as expected in below FortiClients

1) Free version of FortiClient 6.2 (Windows ,mac, Linux) does not support any type of host check.
Use lower version as workaround.

2) Mobile FortiClients (all versions of Android & Ios)

Related Articles

Technical Tip: SSL VPN MAC host check does not work

7407
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.