- First, test the credentials of the user from the FortiGate itself.
- If the user is authenticated via LDAP/RADIUS, there is an option to test the user credentials from the FortiGate itself.
- If the test is successful, check the SSL VPN configuration and policy to make sure the user/user group is present in the portal and authentication rule.
- Run the following commands to collect relevant debug logs:
diagnose vpn ssl debug-filter src-addr4 x.x.x.x <- Where x.x.x.x is the public ip address of the user connecting to VPN. diagnose debug app sslvpn -1 diagnose debug app fnbamd -1 diagnose debug enable
The following error explains that the IP has been blocked due to exceeding the maximum number of failed attempts:
2024-03-25 10:27:42 [240:root:144]allocSSLConn:307 sconn 0x7f77957300 (0:root) 2024-03-25 10:27:42 [240:root:144]SSL state:before SSL initialization (xx.xx.xx.xx) 2024-03-25 10:27:42 [240:root:144]SSL state:before SSL initialization:DH lib(xx.xx.xx.xx) 2024-03-25 10:27:42 [240:root:144]SSL_accept failed, 5:(null) 2024-03-25 10:27:42 [240:root:144]Destroy sconn 0x7f77957300, connSize=0. (root) 2024-03-25 10:27:42 [241:root:14a]allocSSLConn:307 sconn 0x7f77956c00 (0:root) 2024-03-25 10:27:42 [241:root:14a]SSL state:before SSL initialization (xx.xx.xx.xx) 2024-03-25 10:27:42 [241:root:14a]SSL state:before SSL initialization (xx.xx.xx.xx) 2024-03-25 10:27:42 [241:root:14a]got SNI server name: HCLremote.hcllogistics.ca realm (null) 2024-03-25 10:27:42 [241:root:14a]client cert requirement: no 2024-03-25 10:27:42 [241:root:14a]SSL state:SSLv3/TLS read client hello (xx.xx.xx.xx) 2024-03-25 10:27:42 [241:root:14a]SSL state:SSLv3/TLS write server hello (xx.xx.xx.xx) 2024-03-25 10:27:42 [241:root:14a]SSL state:SSLv3/TLS write certificate (xx.xx.xx.xx) 2024-03-25 10:27:42 [241:root:14a]SSL state:SSLv3/TLS write key exchange (xx.xx.xx.xx) 2024-03-25 10:27:42 [241:root:14a]SSL state:SSLv3/TLS write server done (xx.xx.xx.xx) 2024-03-25 10:27:42 [241:root:14a]SSL state:SSLv3/TLS write server done:system lib(xx.xx.xx.xx) 2024-03-25 10:27:42 [241:root:14a]SSL state:SSLv3/TLS write server done (xx.xx.xx.xx) 2024-03-25 10:27:42 [241:root:14a]SSL state:SSLv3/TLS read client key exchange (xx.xx.xx.xx) 2024-03-25 10:27:42 [241:root:14a]SSL state:SSLv3/TLS read change cipher spec (xx.xx.xx.xx) 2024-03-25 10:27:42 [241:root:14a]SSL state:SSLv3/TLS read finished (xx.xx.xx.xx) 2024-03-25 10:27:42 [241:root:14a]SSL state:SSLv3/TLS write session ticket (xx.xx.xx.xx) 2024-03-25 10:27:42 [241:root:14a]SSL state:SSLv3/TLS write change cipher spec (xx.xx.xx.xx) 2024-03-25 10:27:42 [241:root:14a]SSL state:SSLv3/TLS write finished (xx.xx.xx.xx) 2024-03-25 10:27:42 [241:root:14a]SSL state:SSL negotiation finished successfully (xx.xx.xx.xx) 2024-03-25 10:27:42 [241:root:14a]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 2024-03-25 10:27:42 [241:root:14a]req: /remote/info 2024-03-25 10:27:42 [241:root:14a]capability flags: 0x4df 2024-03-25 10:27:42 [241:root:14a]req: /remote/login 2024-03-25 10:27:42 [241:root:14a]rmt_web_auth_info_parser_common:492 no session id in auth info 2024-03-25 10:27:42 [241:root:14a]rmt_web_get_access_cache:841 invalid cache, ret=4103 2024-03-25 10:27:42 [241:root:14a]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}]) 2024-03-25 10:27:42 [241:root:14a]rmt_web_blocklist_check:169 locked: i=0,host=xx.xx.xx.xx 2024-03-25 10:27:42 [241:root:14a]req: /remote/logincheck 2024-03-25 10:27:42 [241:root:14a]rmt_web_blocklist_check:169 locked: i=0,host=xx.xx.xx.xx
The error indicates that the IP is blocked, so it is possible to unset and set the login-attempt and login-block-time under SSL VPN settings in the CLI using the following commands:
config vpn ssl settings
unset login-attempt-limit unset login-block-time
end
- Run the commands above and try again. If the user connects successfully, reset the values to what they were previously by using the same command.
|