FG-IR-23-097 SSL-VPN Client and portal not working after upgrade ?!

After upgrading to latest 7.2 to address CVE RCE SSL-VPN the sslvpn access and portal stopped working… anyone else encountered this issue ?

So after a 4 hour TAC session we narrowed it down that after upgrade from 7.2.4 to 7.2.5 the local-in-policies went missing for sslvpnd (in our case 1194 TCP/UDP).

Event after manually setting local-in policy up there is no traffic forwarded to the sslvpnd.

But in traffic flow you can see that the packets are received by the fortunate and get dropped by policy-249xxx5 which is the highest number possible for policy IDs + 1

So highest assignable ID is xxxxx4 and the one causing the drop is xxxxx5

So we assumed an error in the sslvpnd initialization process .

I will post the exact error message an trave excerpt tomorrow under this comment.

Even upgrade to 7.4 didn’t fix the issue …

After downgrading to 7.2.4 everything started working again.

Yep noticed this also. Upgraded from 7.2.3 to 7.2.5 on 101E on-prem devices.

After Upgrade internal IP for FG gui stopped working (luckily I enabled WAN interface gui). I couldn’t ping/rdp to Azure servers to my on-prem network and vice versa.

Did a few reboots but nothing. I ended up going back to 7.2.3 and all connectivity restored.

Might just downgrade from 7.2.3 to 7.0.12 over next few days.

what model is your fortigate device?

I’m having the same problem, after update the SSLVPN is not working anymore

packets are received and shown in capture but portal is not answering though allowed from all sources … sslvpn client aborting connection after 10% with unreachable message

How are you authenticating your VPN clients? I’ve heard some people say that it breaks RADIUS authentication and requires a fix.

If it’s any help I just upgraded from 7.2.4 to 7.2.5 on a 400e and a 100f on Sunday. Due to the announcement I had disabled SSL VPN and the portal all day Sunday until the upgrade. Once I did the upgrade I re-enabled everything and it’s all working. These were using LDAP auth with fortitokens. Everything is working fine. Try disabling and re-enabling both ssl-vpn and the portal.

I had an issue back in the 7.0.x branch that the SSL VPN stopped responding after I created a DHCP reservation. (Yeah, weird right?) Disabling and re-enabling the SSL VPN brought it back.

Are you using the pppoe interface?

Resolved my using solution stated by u/kangming716

shame on u fortinet

7.4.0 For the win. Much more stable than 7.2.4 and 0 known vulnerablilities.

Running on 40Fs 60Fs, 80Fs, 101Fs (HA A-P), and 200F (HA A-P)

Anyone tried this upgrade and sslvpn that is using saml login with Azure MFA as the radius target?

we actually had the same issue today. we have multiple WAN interfaces with many ip addresses and the interface we used on 7.2.4 didn’t work anymore after the 7.2.5 upgrade… couldn’t find anything in the logs. i switches to one of the other interfaces with another ip and it worked again… sounds like a bug to me

TAC came back to us with the below for 6.4.13:

The problem was caused by a bug with 6.4.13 where hardware acceleration for SSLVPN Cipher and KXP causes issues, work around is to disable this

config system global
set sslvpn-cipher-hardware-acceleration disable
set sslvpn-kxp-hardware-acceleration disable
this is not an issue in 7.2 and 7.4.

Hi all, just an update on this. The original issue with SSL VPN reported here was confirmed to be an issue with PPPoE interface being used as source-interface for SSL VPN.

Thanks to u/kangming716 (our Fortinet team), we’ve identified the problem and have a fix for it for 7.2.6 and 7.4.1 version. We’ll add this to known issues for 7.2.5 and 7.4.0 soon.

A workaround is also identified. Please try the steps below to see if it works for you.

1. Delete the existing PPPoE-interface in “config system pppoe-interface” (need to de-reference it first)

config system pppoe-interface
edit “PPPOE”
set device “wan1”
set username
set password
next
end

config system pppoe-interface
delete “PPPOE”
end

2. Configure the PPPoE interface again like below

config system interface
edit “wan1”
set mode pppoe
set username
set password
next
end

3. Use it again in SSL VPN settings

config vpn ssl settings
set source-interface “wan1”
end

Thank you u/cbka1 for working with us on this issue.

2023/06/13 14:45:11,"vd-root:0 received a packet(proto=6, 37.xx.xx.xx:51178->217.xxx.xxx.xxx:1194) tun_id=0.0.0.0 from pppoe-vlan7. flag [S], seq 1425555411, ack 0, win 64240"

2023/06/13 14:45:11,“allocate a new session-00046107, tun_id=0.0.0.0”
2023/06/13 14:45:11,“in-[pppoe-vlan7], out-”
2023/06/13 14:45:11,len=0
2023/06/13 14:45:11,“result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000”
2023/06/13 14:45:11,find a route: flag=80000000 gw-217.xxx.xxx.xxx via root
2023/06/13 14:45:11,“in-[pppoe-vlan7], out-, skb_flags-02000000, vid-0”
2023/06/13 14:45:11,“gnum-100017, check-ffffffbffc02be64”
2023/06/13 14:45:11,“after check: ret-no-match, act-accept, flag-00000000, flag2-00000000”
2023/06/13 14:45:11,“in-[pppoe-vlan7], out-, skb_flags-02000000, vid-0”
2023/06/13 14:45:11,“gnum-100011, check-ffffffbffc02cec0”
2023/06/13 14:45:11,“after check: ret-no-match, act-drop, flag-00000000, flag2-00000000”
2023/06/13 14:45:11,“gnum-100001, check-ffffffbffc02be64”
2023/06/13 14:45:11,“checked gnum-100001 policy-1, ret-matched, act-accept”
2023/06/13 14:45:11,ret-matched
2023/06/13 14:45:11,“policy-1 is matched, act-accept”
2023/06/13 14:45:11,“gnum-100001 check result: ret-matched, act-accept, flag-08010000, flag2-00000000”
2023/06/13 14:45:11,“after check: ret-matched, act-accept, flag-08010000, flag2-00000000”
2023/06/13 14:45:11,“gnum-10000e, check-ffffffbffc02be64”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000e policy-4294967295, ret-matched, act-accept”
2023/06/13 14:45:11,“policy-4294967295 is matched, act-drop”
2023/06/13 14:45:11,“gnum-10000e check result: ret-matched, act-drop, flag-00000000, flag2-00000000”
2023/06/13 14:45:11,“after check: ret-matched, act-drop, flag-00000000, flag2-00000000”
2023/06/13 14:45:11,“gnum-10000f, check-ffffffbffc02be64”
2023/06/13 14:45:11,“checked gnum-10000f policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000f policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000f policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000f policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000f policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000f policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000f policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000f policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000f policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000f policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000f policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000f policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000f policy-4294967295, ret-no-match, act-accept”
2023/06/13 14:45:11,“checked gnum-10000f policy-4294967295, ret-matched, act-accept”
2023/06/13 14:45:11,“policy-4294967295 is matched, act-drop”
2023/06/13 14:45:11,“gnum-10000f check result: ret-matched, act-drop, flag-00000800, flag2-00000000”
2023/06/13 14:45:11,“after check: ret-matched, act-drop, flag-00000800, flag2-00000000”
2023/06/13 14:45:11,“iprope_in_check() check failed on policy 0, drop”

Can you check if HTTPS is enabled on the internal interface that you lost GUI access to it? And check if that internal IP is reachable from your network. Does SSH and Ping work but not GUI?

If the issue persists, please open a support ticket and we can take a closer look at your setup.

ahaha, but vulnerability is gone

what model is your device? did you update to version 7.2.5?