Update: In the end I wasn’t able to get SSL-VPN client to connect to the Fortigate. I decided to switch to use ISPEC VPN and away from using SSL-VPN. From what I’ve read, Fortinet is moving away/recommending users to stop using SSL VPN anyway. Configuring ISPEC worked and connected without issues first time I configured.
I appreciated they assistance I received.
FortiGate 60F v7.2.8
FortiClient VPN v7.2.4
I’m able to login via the web browser using the same domain url and port as configured for the VPN client configuration. But when I attempt to connect with FortiClient I get the generic error message, “SSL Connection may be down”. With the client logs set to debug mode, the following is all that’s in those logs. Some details were altered to protect identification.
5/17/2024 10:36:23 AM error sslvpn date=2024-05-17 time=10:36:22 logver=1 id=96603 type=securityevent subtype=sslvpn eventtype=error level=error uid=ZY6LD3CV6OHP5LGIDVRNJXSKGT6LNM59 devid=FCT8007243283960 hostname=NOTEBOOK01 pcdomain=mydomain.com deviceip=10.100.1.50 devicemac=60-f2-XX-XX-XX-fb site=N/A fctver=7.2.4.0972 fgtserial=FCT8007243283960 emsserial=N/A os=“Microsoft Windows 10 Professional Edition, 64-bit (build 19045)” user=[email protected] msg=“SSLVPN tunnel connection failed” vpnstate= vpntunnel=“VPN1 Client Name” vpnuser=RemoteNB1 remotegw=vpn1.clientdomain.com
5/17/2024 10:36:23 AM info sslvpn date=2024-05-17 time=10:36:22 logver=1 id=96600 type=securityevent subtype=sslvpn eventtype=status level=info uid=ZY6LD3CV6OHP5LGIDVRNJXSKGT6LNM59 devid=FCT8007243283960 hostname=NOTEBOOK01 pcdomain=mydomain.com deviceip=10.100.1.50 devicemac=60-f2-XX-XX-XX-fb site=N/A fctver=7.2.4.0972 fgtserial=FCT8007243283960 emsserial=N/A os=“Microsoft Windows 10 Professional Edition, 64-bit (build 19045)” user=user@domain msg=“SSLVPN tunnel status” vpnstate=disconnected vpnuser=RemoteNB1
There is nothing that shows up in the Fortigate device logs.
For now I’m using the preconfigured VPN Portal “full-access” with users “All Other Users/Groups”, split-tunneling is disabled.
The Server Certificate is set to “Fortinet_Factory”. I’m never prompted to pick a certificate to use. nor is there “pop-behind” windows during VPN connection.
Allow access from any host enabled.
Any guidance would be appreciated. I can post additional details.
Are you using SAML for auth? If so there’s a known bug with 7.2.4 - switch to 7.2.3 and it’ll work.
We’d need the debugs on the FortiGate side while connecting (diagnose debug application sslvpn -1). That should tell you more.
SSL-VPN Portal screen capture
SSL-VPN Settings screen capture
Firewall Policy screen capture
You are missing your “SSL-VPN Users” group in the SSL VPN Settings settings under “Authentication/Port Mapping”. You should have something like “SSL-VPN Users” with the “Full-access” portal and “All other users/groups” with a portal that does not allow anything or the web-access. Also you’re missing the “SSLVPN_TUNNEL_ADDR1” under “IP Ranges”.
Not sure what SAML is, but not using SSO at this time.
Does this help? Its interesting that User and Group are “NA”. In the VPN logs I can see many other rogue login attempts failing on user/password.
Absolute Date/Time 2024-05-17
Last Access Time 15:59:04
VDOM root
Log Description SSL VPN exit error
Source
User N/A
Group N/A
Destination
Destination Host N/A
Action
Action ssl-exit-error
Reason N/A
Security
Level
Error
Event
Remote IP 174.XX.XXX.124
Tunnel ID 0
Tunnel Type ssl
Message SSL exit error
Other
Log event original timestamp 1715979543762029600
Timezone -0500
Log ID 0101039946
Type event
Sub Type vpn
Added SSL-VPN Users Group, Portal full-access to Authentication/Portal Mapping. And changed All Other Users/Groups to web-access portal.
Where is the “IP Ranges” setting located that you referenced?
With the Auth/Portal Mapping changes. After attempting to connect. In the VPN logs the User & Group are still “N/A”
On the SSL VPN Settings, change this section to “Specify Custom Ranges” and add the same IP range object you specificed in your “full-access” portal.
Can you tell me were to navigate to find the debugs. What I posted above was in the reports/ssl-vpn
The IP Range I used in the “Full-Access” portal is the “SSLVPN_TUNNEL_ADDR1” which is the range “10.212.134.200-10.212.134.210”. Which is the same as the default range. Should I have created the range differently so it didn’t match default. We don’t more than a few connections. When I select this custom IP range in the SSL VPN Settings, Address Range. When saved it reverts back to “Automatically assign addresses”. Thanks for your help.
I already gave you the command. You only need to turn debug logging on after that. You can find out how.
I’ve decided to move away from SSL-VPN and use ISPEC. That’s allowing the clients to connect without issues.
