Skip to Content

How to fix SSL VPN authentication failure logs are still showing ‘tunnel type: SSL-WEB’ after disabling the Web Mode

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article explains why the SSL VPN authentication failure logs with tunnel-type web still happen after removing the SSL VPN authentication page as per the article below:
Technical Tip: How to prevent the SSL VPN web login portal from displaying when SSL VPN web mode is …

Scope

FortiGate.

Solution

Every authentication failure on the FortiGate will be categorized as web for the tunnel type even if the attempt came from a FortiClient.

Log for failed FortiClient authentication:

Log for failed FortiClient authentication.

Log for failed Web Mode authentication:

Log for failed Web Mode authentication.

Log for successful FortiClient authentication:

Log for successful FortiClient authentication.

Log for successful Web mode authentication:

Log for successful Web mode authentication.

This is due to FortiClient identifying itself to be accessing the tunnel mode after the authentication attempt and as a result, FortiGate cannot detect tunnel mode versus web mode on authentication failure:

Successful FortiClient authentication debugs:

[15510:root:a]sslvpn_authenticate_user:183 authenticate user: [test-fct]
[15510:root:a]sslvpn_authenticate_user:197 create fam state
[15510:root:a][fam_auth_send_req_internal:426] Groups sent to FNBAM:
[15510:root:a]group_desc[0].grpname = test
[15510:root:a][fam_auth_send_req_internal:438] FNBAM opt = 0X200420
[15510:root:a]fam_auth_send_req_internal:514 fnbam_auth return: 0
[15510:root:a][fam_auth_send_req_internal:539] Authenticated groups (1) by FNBAM with auth_type (1):
[15510:root:a]Received: auth_rsp_data.grp_list[0] = 2
[15510:root:a]fam_auth_send_req_internal:563 found node test:0:, valid:1, auth:0
[15510:root:a]Validated: auth_rsp_data.grp_list[0] = test
[15510:root:a][fam_auth_send_req_internal:652] The user test-fct is authenticated.
[15510:root:a]fam_do_cb:666 fnbamd return auth success.
…. (omitted for brevity)
[15511:root:a]normal tunnel2 request received.<----- Tunnel mode initiated.
[15511:root:a]sslvpn_tunnel2_handler,166, fct_uuid = 86D85EDFFC3E422F8619956B74CE508E<----- Identifying the FortiClient.
[15511:root:a]sslvpn_tunnel2_handler,174, Calling tunnel2 DESKTOP-8PB5B98.

Failed FortiClient authentication debugs:

[15514:root:a]sslvpn_authenticate_user:183 authenticate user: [fct-failed]
[15514:root:a]sslvpn_authenticate_user:197 create fam state
[15514:root:a][fam_auth_send_req_internal:426] Groups sent to FNBAM:
[15514:root:a]group_desc[0].grpname = test
[15514:root:a][fam_auth_send_req_internal:438] FNBAM opt = 0X200421
[15514:root:a]fam_auth_send_req_internal:514 fnbam_auth return: 1
[15514:root:a][fam_auth_send_req_internal:539] Authenticated groups (1) by FNBAM with auth_type (1):
[15514:root:a]Received: auth_rsp_data.grp_list[0] = 0
[15514:root:a]fam_auth_send_req:1007 task finished with 1
[15514:root:a]login_failed:392 user[fct-failed],auth_type=1 failed [sslvpn_login_permission_denied]
[15514:root:0]dump_one_blocklist:94 status=1;host=172.17.98.14;fails=1;logintime=1721862179
…… (end here, no further debugs)

Therefore, after hiding the SSL VPN login page (on v 7.4.1 and below) or disabling it globally (v7.4.2 and above), it is expected to see every failed authentication for SSL VPN flagged with ‘tunnel Type ssl-web’. The log does not mean an authentication attempt is being pushed through the SSL VPN login page.