Quick Fix: Fortinet SSLVPN 98% Error Unable to Establish the Connection
November 3, 2017 1 Comment
This one puzzled me for several hours this week. After making some changes to the structured cabling we were alerted to an issue preventing SSLVPNs from connecting.
Anyone attempting to connect saw the progress stop at 98% received an error similar to :
Unable to establish the VPN Connection (E=98,T-981066010,M99,R10)
On an iOS Device we saw:
Connection error. Got bad packet from remote
Needless to say we were left wondering what we had managed to patch into the wrong place, and even after completely removing the VPN Configuration and recreating it we were still at a loss.
Looking at the debugging information via the Fortinet CLI showed that the connection seemed to establish, then drop out. To enable debug logging for SSLVPN:
diagnose debug application sslvpn –1
diagnose debug enable
Then attempt to connect your VPN.
Prepare for a large amount of output to go through, Truncated and edited for publishing below.
Using username "fakeadmin".
fakeadmin@fortinet-200e's password:
Fortinet-200E # diagnose debug application sslvpn -1
Debug messages will be on for 30 minutes.
Fortinet-200E # diagnose debug enable
Fortinet-200E # [1601:root:0]total sslvpn policy count: 4
[1601:root:d7]allocSSLConn:280 sconn 0x7f1474c0f000 (0:root)
[1601:root:d7]SSL state:before/accept initialization (source-ipaddress)
[1601:root:d7]SSL state:SSLv3 read client hello A (source-ipaddress)
[1601:root:d7]SSL state:SSLv3 write server hello A (source-ipaddress)
[1601:root:d7]SSL state:SSLv3 write certificate A (source-ipaddress)
[1601:root:d7]SSL state:SSLv3 write key exchange A (source-ipaddress)
[1601:root:d7]SSL state:SSLv3 write server done A (source-ipaddress)
[1601:root:d7]SSL state:SSLv3 flush data (source-ipaddress)
[1601:root:d7]req: /remote/logincheck?&ajax=1&redir=/remote/index&just_logged_in=1
[1601:root:d7]rmt_web_auth_info_parser_common:433 no session id in auth info
[1601:root:d7]rmt_web_access_check:681 access failed, uri=[/remote/logincheck],ret=4103,
[1601:root:d7]rmt_logincheck_cb_handler:870 user 'robert' has a matched local entry.
[1601:root:d7]sslvpn_auth_check_usrgroup:1786 forming user/group list from policy.
[1601:root:d7]sslvpn_auth_check_usrgroup:1828 got user (0) group (2:0).
[1601:root:d7]sslvpn_validate_user_group_list:1456 validating with SSL VPN authentication rules (1), realm ().
[1601:root:d7]sslvpn_validate_user_group_list:1504 checking rule 1 cipher.
[1601:root:d7]sslvpn_validate_user_group_list:1512 checking rule 1 realm.
[1601:root:d7]sslvpn_validate_user_group_list:1523 checking rule 1 source intf.
[1601:root:d7]sslvpn_validate_user_group_list:1562 checking rule 1 vd source intf.
[1601:root:d7]sslvpn_validate_user_group_list:1634 rule 1 done, got user (0) group (2:0).
[1601:root:d7]sslvpn_validate_user_group_list:1722 got user (0), group (2:0).
[1601:root:d7]two factor check for robert: off
[1601:root:d7]sslvpn_authenticate_user:167 authenticate user: [robert]
[1601:root:d8]SSL state:before/accept initialization (source-ipaddress)
[1601:root:d8]SSL state:SSLv3 read client hello A (source-ipaddress)
[1601:root:d8]SSL state:SSLv3 write server hello A (source-ipaddress)
[1601:root:d8]SSL state:SSLv3 write certificate A (source-ipaddress)
[1601:root:d8]SSL state:SSLv3 write key exchange A (source-ipaddress)
[1601:root:d8]SSL state:SSLv3 write server done A (source-ipaddress)
[1601:root:d8]SSL state:SSLv3 flush data (source-ipaddress)
[1601:root:d8]SSL state:SSLv3 read client certificate A (source-ipaddress)
[1601:root:d8]SSL state:SSLv3 read client key exchange A:system lib(source-ipaddress)
[1601:root:d8]SSL state:SSLv3 read client key exchange A:system lib(source-ipaddress)
[1601:root:d7]rmt_web_access_check:681 access failed, uri=[/remote/logout],ret=4103,
[1601:root:d7]Destroy sconn 0x7f1474c0f000, connSize=0. (root)
The fix, was very simple.
At time of writing Forticlient 5.6 has a bug preventing SSLVPN connections from establishing. Downgrade the Forticlient to a previous version, we found that 5.2.4.0650 worked without any issue.
You will need an active support contract to download a previous version.
Of course this is a workaround at best, and we will hopefully see Fortinet release an update to their 5.6 client soon.
poor quality product. Sadness