Technical Tip: Host check errors while connecting SSL-VPN

carabhavi · ‎09-10-2019

Description
This article explains how to find the host check errors and fixing it via CLI only steps.

Solution
There are multiple errors/messages while connecting to VPN and sometimes there are the ones below :

1) 'Unable to logon to the server.'
2) 'Your username or password may not be configured properly for this connection.'
3) 'Host check failed.'

In some cases the correct user credentials will be used but still, the alert to check on user details is shown.

Run the following debug to find the exact issue:

# diagnose debug disable
# diagnose debug reset
# diagnose debug application sslvpn -1
# diagnose debug enable

Refer the below debug output:

[8542:root:16]Auth successful for user chetan <----- Authentication was successful
[8542:root:16]fam_do_cb:548 fnbamd return auth success.
[8542:root:16]SSL VPN login matched rule (1).
[8542:root:16]rmt_web_session_create:709 create web session, idx[0]
[8542:root:16]login_succeeded:452 redirect to hostcheck <----- Notice the host check process was initiated.

Verify the existing configuration by below commands:

# config vpn ssl web portal
# edit full-access <----- Delect respective portals.
# show full | grep host-check

Output example:

# show full | grep host-check
set host-check av
set host-check-interval 0

Above output show’s that host check is enabled for AV.
Install AV to fix this issue else you can disable host check by below commands (CLI only).

# config vpn ssl web portal
# edit full-access <----- Select respective portals.
# set host-check none
# end