If you have a FortiClient deployment and a few clients with problems , use the feedback-windows or lack of.
1st up a bad Pre-Shard-Key
That should need no explanation outside of re-key your PSK
Next bad logins;
Here it's tricky
1: a bad group-id
2: a bad username
3: or a bad password
Always validate the users is correct
A group defined in the client and fortigate but the user is NOT part of that group is also cause of bad login.Let's say you have a VPN- peer-id set and authserver group and the actual vpn-user is not part of the group , the fortigate will provide the generic bad-login
If you still have issues you might need to run fortigate cli diag debug cmds
e.g
diag debug enable
diag debug application ike -1
Us the diag vpn ike filter and on the client_address that's trying to connect in a heavy used forticlient deploymentLastly, if a client tries to connect to a fortigate and have no pop-up windows this is a good indication of one or more of the following
1: client didn't reach the fortigate
2: client ike proposal where not matched and accepted
3: NAT or NAT-T issues
4: client had the wrong address configued ( see #1 above )
5: or a combination of the above
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment