Quick Fix: Fortinet SSLVPN 98% Error Unable to Establish the Connection

November 3, 2017 by 1 Comment

photoThis one puzzled me for several hours this week. After making some changes to the structured cabling we were alerted to an issue preventing SSLVPNs from connecting.

Anyone attempting to connect saw the progress stop at 98% received an error similar to :

Unable to establish the VPN Connection (E=98,T-981066010,M99,R10)

Fortinet SSL VPN Error

On an iOS Device we saw:

Connection error. Got bad packet from remote

IMG_3513

Needless to say we were left wondering what we had managed to patch into the wrong place, and even after completely removing the VPN Configuration and recreating it we were still at a loss.

Looking at the debugging information via the Fortinet CLI showed that the connection seemed to establish, then drop out. To enable debug logging for SSLVPN:

diagnose debug application sslvpn –1

diagnose debug enable

Then attempt to connect your VPN.

Prepare for a large amount of output to go through, Truncated and edited for publishing below.

Using username "fakeadmin".
fakeadmin@fortinet-200e's password:
Fortinet-200E # diagnose debug application sslvpn -1
Debug messages will be on for 30 minutes.

Fortinet-200E # diagnose debug enable

Fortinet-200E # [1601:root:0]total sslvpn policy count: 4
[1601:root:d7]allocSSLConn:280 sconn 0x7f1474c0f000 (0:root)
[1601:root:d7]SSL state:before/accept initialization (source-ipaddress)
[1601:root:d7]SSL state:SSLv3 read client hello A (source-ipaddress)
[1601:root:d7]SSL state:SSLv3 write server hello A (source-ipaddress)
[1601:root:d7]SSL state:SSLv3 write certificate A (source-ipaddress)
[1601:root:d7]SSL state:SSLv3 write key exchange A (source-ipaddress)
[1601:root:d7]SSL state:SSLv3 write server done A (source-ipaddress)
[1601:root:d7]SSL state:SSLv3 flush data (source-ipaddress)
[1601:root:d7]req: /remote/logincheck?&ajax=1&redir=/remote/index&just_logged_in=1
[1601:root:d7]rmt_web_auth_info_parser_common:433 no session id in auth info
[1601:root:d7]rmt_web_access_check:681 access failed, uri=[/remote/logincheck],ret=4103,
[1601:root:d7]rmt_logincheck_cb_handler:870 user 'robert' has a matched local entry.
[1601:root:d7]sslvpn_auth_check_usrgroup:1786 forming user/group list from policy.
[1601:root:d7]sslvpn_auth_check_usrgroup:1828 got user (0) group (2:0).
[1601:root:d7]sslvpn_validate_user_group_list:1456 validating with SSL VPN authentication rules (1), realm ().
[1601:root:d7]sslvpn_validate_user_group_list:1504 checking rule 1 cipher.
[1601:root:d7]sslvpn_validate_user_group_list:1512 checking rule 1 realm.
[1601:root:d7]sslvpn_validate_user_group_list:1523 checking rule 1 source intf.
[1601:root:d7]sslvpn_validate_user_group_list:1562 checking rule 1 vd source intf.
[1601:root:d7]sslvpn_validate_user_group_list:1634 rule 1 done, got user (0) group (2:0).
[1601:root:d7]sslvpn_validate_user_group_list:1722 got user (0), group (2:0).
[1601:root:d7]two factor check for robert: off
[1601:root:d7]sslvpn_authenticate_user:167 authenticate user: [robert]
[1601:root:d8]SSL state:before/accept initialization (source-ipaddress)
[1601:root:d8]SSL state:SSLv3 read client hello A (source-ipaddress)
[1601:root:d8]SSL state:SSLv3 write server hello A (source-ipaddress)
[1601:root:d8]SSL state:SSLv3 write certificate A (source-ipaddress)
[1601:root:d8]SSL state:SSLv3 write key exchange A (source-ipaddress)
[1601:root:d8]SSL state:SSLv3 write server done A (source-ipaddress)
[1601:root:d8]SSL state:SSLv3 flush data (source-ipaddress)
[1601:root:d8]SSL state:SSLv3 read client certificate A (source-ipaddress)
[1601:root:d8]SSL state:SSLv3 read client key exchange A:system lib(source-ipaddress)
[1601:root:d8]SSL state:SSLv3 read client key exchange A:system lib(source-ipaddress)
[1601:root:d7]rmt_web_access_check:681 access failed, uri=[/remote/logout],ret=4103,
[1601:root:d7]Destroy sconn 0x7f1474c0f000, connSize=0. (root)

The fix, was very simple.

At time of writing Forticlient 5.6 has a bug preventing SSLVPN connections from establishing. Downgrade the Forticlient to a previous version, we found that 5.2.4.0650 worked without any issue.

You will need an active support contract to download a previous version.

Of course this is a workaround at best, and we will hopefully see Fortinet release an update to their 5.6 client soon.

Filed under General, SSL, Tips & Tricks Tagged with , , ,

About Robert Pearman
Robert Pearman is a UK based IT worker bee. He has been working within the IT Industry for what feels like forever. Robert likes Piña colada and getting caught in the rain, he also enjoys writing about Technology like PowerShell or System Automation but not as much as he used to. If you're in trouble, and you can find him, maybe you can ask him a question.

One Response to Quick Fix: Fortinet SSLVPN 98% Error Unable to Establish the Connection

  1. Voffka Kh says:
    November 3, 2017 at 3:03 pm

    poor quality product. Sadness

    Reply

Leave a reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.