FortiClient SSL VPN Error

VPN Error KB ID 0001795

Problem

I have a FortiGate/FortiClient test bench setup for testing, and its to been used for a while. When I attempted to use it this happened;

Unable to logon to the server. Your username or password may not be configured properly for this connection. (-12)

While messing around trying to fix it I also got this error;

Unable to establish the VPN connection. The VPN server may be unreachable. (-14)

Disclaimer: That second error can also be caused if the FortiClient is unlicensed (which you can clearly see, it is.) So this might be a red herring.

VPN Error: Solution

This took ages for me to fix. The common consensus is this is usually caused by a setting in the machines internet properties. Open an administrative command windows and run inetcpl.cpl The firs this I was asked to do was  > Advanced  >  Reset > Tick Delete Personal Settings > Reset.

Security > Trusted Sites (set slider to Medium) > Sites > Add in the URL my FortiClient was trying to reach, (yours will be a public IP or DNS name)  > Close.

Advanced Tab > Security > Tick Use SSL 3.0  > Apply > OK.

In my case all of these DID NOT solve my problem, I’ve seen strange errors with LDAP username and passwords, so I made sure the firewall could ping the FQDN of the LDAP server, and it successfully authenticated me (I’ve seen the GUI auth test work, and the command line one fail in the past).

Then I debugged the SSL VPN and got the following error;

Removed for tunnel connection setup timeout.

In the end I changed TWO things and it started to work. Firstly I uninstalled the FortiClient, and installed the latest version.

Secondly I looked at my SSL VPN Settings and noticed the group was set to a firewall group and NOT my LDAP (Active Directory) group. which I changed.

Other possible fixes I found on my trawl – that were not applicable to me;

  • Active Directory User Account (Account or Password Expired)
  • Theres no firewall policy for the SSL VPN Traffic (See this article).
  • Your AD password is using some ‘Odd Characters“, (test with an alphameric password).
  • Your AD user has “user must change the password on next login” enabled.
  • You’re trying to cone too eh SSL VPN fro BEHIND the FortiGate (not outside).

So this seems like a very generic error. If you come up with a different fix, or one that didn’t work for me, but worked for you. Please take the time to post below to help the next technical traveller.

Related Articles, References, Credits, or External Links

NA

FortiGate FSSO AD Groups not Appearing?

FSSO KB ID 0001794

Problem

While recently needing to add a new AD group to my firewalls FSSO setup, (to be used in a policy.) The new group could not bee seen (it’s called GS-Web-Block-Override).

FSSO Force Sync

The common fix for this is to create a filter on your FSSO agent server, that will ONLY look of the groups you specify like so.

However, in my case that didn’t work either! I spent ages trawling Forti pages and Reddit, until I came across the following command. (I’ve lost the original link so I can’t credit the poster).

[box]

execute fsso refresh

[/box]

Then, as if by magic, my group appeared!

Related Articles, References, Credits, or External Links

NA

What is a Container?

Container KB ID 0001793

Problem

Google containers and the net is full of people with whiteboards talking at a very low level about containers. They also appear to be largely developer and dev ops related, (which is understandable), but if you simply want to understand the concept of what a container is, then that’s a lot of YouTube watching to pick out some basic concepts. Particularly if you’re an IT pro, Engineer, or a Solutions architect.

Simple Container

Before we look at containers, let’s look at a concept we have had for about fifteen years now. The Virtual Machine; 

Here we use a Hypervisor (Type 1: e.g vSphere, NSX, or Hyper-V, or Type 2 e.g. Parallels, Fusion, VMware Workstation, or Virtual Box etc). To create a virtual machine, the virtual machine runs its own Operating System, and you can install your applications on that operating system. The whole thing runs on the Hypervisor and, (for the most part), the machine does not even know it’s virtualised.

A Hypervisor allows a “Bunch of files” to behave like a physical machine.

A container is slightly different, where a hypervisors job is to separate the Machine from the Hardware, by supplying it with a set of virtualised hardware, so it (the virtual machine) thinks it’s running on hardware. The container ‘engine’ (in this case Docker), separates the Applications from the Operating Systems, by supplying a set of operating system processes, so that the applications think they’re running on an operating system. 

A containerisation tool allows a portable file to behave like an application.

The above diagram is simply to illustrate the point, what is actually happening is, in the Operating system the Docker Engine, puts all the applications into their own CONTAINERS, and supplies each container, with all the processes and OS elements the application needs to run. Each container runs completely separately from all the others, and can be started and stopped independently, so a better representation of what happening is this;

Thats pretty much it! What you will find though, is a lot of people have their containers running in a virtual machine that’s running on a Hypervisor. Some people will recoil in horror, and say that’s  NOT what you should be doing, (unless they work for VMware of course). That scenario looks a little more like this;

Related Articles, References, Credits, or External Links

NA

DC Promotion fails ‘FRS is Depreciated’

FRS is Depreciated KB ID 0001579

Problem

Error seen when attempting to add a new domain controller to an existing domain;

Verification of replica failed. The specified domain {Domain-Name} is still using the File Replication Service (FRS) to replicate the SYSVOL share. FRS is depreciated.

The server being promoted does not support FRS and cannot be promoted as a replica into the specified domain.

You MUST migrate the specified domain to use DFS Replication using the DFSRMIG command before continuing.

Solution: FRS is Depreciated

 

Before proceeding you MUST ensure all your existing domain controllers are AT LEAST Windows Server 2008. Your domain and forest functional levels should be at Windows Server 2008 (AL LEAST). It would also be a good move, to make sure all your DCs are replicating cleanly.

You need to go to one of your legacy (existing) domain controllers, and carry out the following PowerShell procedure. 

First make sure that no one’s messed about with this before, issue the following command and make sure the migration process has not been previously started;

[box]

dfsrmig /getglobalstate

[/box]

Start the process.

[box]

dfsrmig /setglobalstate 1

[/box]

It can take a while, (even if you only have one Domain Controller!) Keep checking the status, with the command ‘dfsrmig /getmigrationstate’ until it says all the domain controllers have migrated to global state ‘Prepared‘.

Change the process to state 2 (Redirected).

[box]

dfsrmig /setglobalstate 2

[/box]

This typically completes a bit faster than the first state. Keep checking the status, with the command you originally used, until it says all the domain controllers have migrated to global state ‘Redirected‘.

Change the process to state 3 (Eliminated).

[box]

dfsrmig /setglobalstate 3

[/box]

As before, keep checking the status, with the command you originally used, until it says all the domain controllers have migrated to global state ‘Suceeded‘.

On the ‘Old‘ domain controllers, you need to disable the NTFRS service and stop it.

[box]

Set-Service ntfrs -StartupType Disabled
Stop-Service ntfrs

[/box]

Now attempt to promote your new domain controller again.

Related Articles, References, Credits, or External Links

NA