Fortinet black logo

Administration Guide

Verifying and troubleshooting

Verifying and troubleshooting

The remote endpoint, WIN10-01, is ready to connect to VPN before logon. The example assumes that the endpoint already has the latest FortiClient version installed. Ensure that the endpoint can register to EMS:

To verify FortiClient is registered and received the VPN tunnel settings:
  1. In FortiClient, go to the Zero Trust Telemetry tab.
  2. In the Server address field, enter ems.ztnademo.com. This resolves to the FortiGate external virtual IP address, 10.0.3.254.

  3. Click Connect. Once connected, FortiClient receives a sync notification.

  4. On the Remote Access tab, the machine-cert-vpn tunnel appears. Click the icon beside the VPN name to view the tunnel details. Verify it matches the EMS VPN tunnel settings configured.
To verify FortiClient can connect to the VPN:

This step enables debug logs on the FortiGate to demonstrate the authentication that occurs during the connection.

  1. In FortiOS, run the following commands:

    diagnose debug enable

    diagnose debug application fnbamd -1

  2. In FortiClient on the Remote Access tab, select the machine-cert-vpn tunnel from the VPN Name dropdown list.
  3. From the Client Certificate dropdown list, select the machine client certificate that was issued to this machine.

  4. Click the eye icon beside the selected certificate. This certificate should match the computer/machine certificate in SSL VPN prelogon using AD machine certificate.
  5. Click Connect to initiate the VPN connection. If the connection succeeds, a popup indicates the VPN is up.
  6. From the FortiGate, go to the Dashboard > Network > SSL-VPN widget to see the new tunnel created. The tunnel username is identified by the common name found on the machine certificate assigned to the client. The user group that was matched, PKI-LDAP-Machine, is also indicated.

To interpret the debug logs:

From the CLI console, you can interpret the debugs as follows:

diagnose debug enable

diagnose debug application fnbamd -1

Debug messages will be on for 30 minutes.

Verify the certificate chain by looking for the bolded output:

[500] fnbamd_cert_verify-Following cert chain depth 0

[573] fnbamd_cert_verify-Issuer found: FortiAD.Info (SSL_DPI opt 1)

[500] fnbamd_cert_verify-Following cert chain depth 1

Verify the certificate subject, if enabled:

[675] fnbamd_cert_check_group_list-checking group with name 'PKI-Machine-Group'

[490] __check_add_peer-check 'LDAP-fortiad-Machine'

[492] __check_add_peer-'LDAP-fortiad-Machine' is not a peer user.

[490] __check_add_peer-check 'PKI-LDAP-Machine'

[366] peer_subject_cn_check-Cert subject 'CN = WIN10-01.fortiad.info'

Obtain the UPN from the certificate subject alternate name (SAN) field. In this case, it is the DNS name:

[426] __cert_ldap_query-LDAP query, idx 0

[448] __cert_ldap_query-UPN = 'WIN10-01.fortiad.info'

Filter the LDAP query to perform a lookup on the UPN attribute in the fortiad.info directory:

[1718] fnbamd_ldap_init-search filter is: (&(userPrincipalName=WIN10-01.fortiad.info)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

[1728] fnbamd_ldap_init-search base is: dc=fortiad,dc=info

Verify LDAP connection and user binding:

[1108] __ldap_connect-tcps_connect(10.88.0.1) is established.

[986] __ldap_rxtx-state 3(Admin Binding)

[363] __ldap_build_bind_req-Binding to 'fortiad\Administrator'

[1083] fnbamd_ldap_send-sending 43 bytes to 10.88.0.1

Beginning of DN search:

[1053] __ldap_rxtx-Change state to 'DN search'

[986] __ldap_rxtx-state 11(DN search)

[750] fnbamd_ldap_build_dn_search_req-base:'dc=fortiad,dc=info' filter:(&(userPrincipalName=WIN10-01.fortiad.info)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

DN entry found for the desired filter:

[1226] __fnbamd_ldap_dn_entry-Get DN 'CN=WIN10-01,CN=Computers,DC=fortiad,DC=info'

Begin searching for the MemberOf attribute for the DN entry:

[649] fnbamd_ldap_build_attr_search_req-Adding attr 'memberOf'

[661] fnbamd_ldap_build_attr_search_req-base:'CN=WIN10-01,CN=Computers,DC=fortiad,DC=info' filter:cn=*

[1083] fnbamd_ldap_send-sending 119 bytes to 10.88.0.1

Found all groups including the primary group:

[522] __retrieve_group_values-Get the memberOf groups.

[532] __retrieve_group_values- attr='memberOf', found 1 values

[542] __retrieve_group_values-val[0]='CN=VPNComputers,CN=Users,DC=fortiad,DC=info'

[1127] __fnbamd_ldap_read-Read 8

[1053] __ldap_rxtx-Change state to 'Primary group query'

[986] __ldap_rxtx-state 13(Primary group query)

[472] __get_one_group-group: CN=Domain Computers,CN=Users,DC=fortiad,DC=info

[1127] __fnbamd_ldap_read-Read 8

Authentication is accepted, matching the FortiGate PKI-LDAP-Machine PKI peer:

[1431] __fnbamd_ldap_primary_grp_next-Auth accepted

[377] __cert_ldap_query_cb-LDAP ret=0, server='LDAP-fortiad-Machine', req_id=1534052817

[388] __cert_ldap_query_cb-Matched peer 'PKI-LDAP-Machine'

[755] __ldap_destroy-

[271] __cert_resume-req_id=1534052817

[99] __cert_chg_st- 'Status-Query' -> 'Done'

User group PKI-Machine-Group is matched:

[833] fnbamd_cert_check_matched_groups-checking group with name 'PKI-Machine-Group'

[121] fnbamd_ldap_dn_match-DN 'CN=VPNComputers,CN=Users,DC=fortiad,DC=info' is matched with 'CN=VPNComputers,CN=Users,DC=fortiad,DC=info', idx=0.

[895] fnbamd_cert_check_matched_groups-matched

To verify FortiClient can connect to the tunnel during Windows logon:

The earlier test verified a user can connect to the VPN using the machine certificate. The following verifies that FortiClient can connect to the VPN during Windows logon.

  1. Disconnect the current VPN connection by going to clicking Disconnect on the FortiClient Remote Access tab. A VPN down notification appears on the endpoint.
  2. In FortiOS, verify the VPN is down in Dashboard > Network > SSL-VPN widget.
  3. Sign out of the current Windows session to arrive at the Windows logon screen.
  4. In the user sign-in page, the following prompt appears:

    If the prompt for VPN tunnel does not appear, click Sign-in options and select the FortiClient icon.

  5. Enter the user password and sign in to Windows. Windows shows the progress and briefly shows a Connecting to VPN (machine-cert-vpn)… message. A message appears to indicate the VPN connection succeeded.
  6. On the FortiGate, verify the connection is up.

Verifying and troubleshooting

The remote endpoint, WIN10-01, is ready to connect to VPN before logon. The example assumes that the endpoint already has the latest FortiClient version installed. Ensure that the endpoint can register to EMS:

To verify FortiClient is registered and received the VPN tunnel settings:
  1. In FortiClient, go to the Zero Trust Telemetry tab.
  2. In the Server address field, enter ems.ztnademo.com. This resolves to the FortiGate external virtual IP address, 10.0.3.254.

  3. Click Connect. Once connected, FortiClient receives a sync notification.

  4. On the Remote Access tab, the machine-cert-vpn tunnel appears. Click the icon beside the VPN name to view the tunnel details. Verify it matches the EMS VPN tunnel settings configured.
To verify FortiClient can connect to the VPN:

This step enables debug logs on the FortiGate to demonstrate the authentication that occurs during the connection.

  1. In FortiOS, run the following commands:

    diagnose debug enable

    diagnose debug application fnbamd -1

  2. In FortiClient on the Remote Access tab, select the machine-cert-vpn tunnel from the VPN Name dropdown list.
  3. From the Client Certificate dropdown list, select the machine client certificate that was issued to this machine.

  4. Click the eye icon beside the selected certificate. This certificate should match the computer/machine certificate in SSL VPN prelogon using AD machine certificate.
  5. Click Connect to initiate the VPN connection. If the connection succeeds, a popup indicates the VPN is up.
  6. From the FortiGate, go to the Dashboard > Network > SSL-VPN widget to see the new tunnel created. The tunnel username is identified by the common name found on the machine certificate assigned to the client. The user group that was matched, PKI-LDAP-Machine, is also indicated.

To interpret the debug logs:

From the CLI console, you can interpret the debugs as follows:

diagnose debug enable

diagnose debug application fnbamd -1

Debug messages will be on for 30 minutes.

Verify the certificate chain by looking for the bolded output:

[500] fnbamd_cert_verify-Following cert chain depth 0

[573] fnbamd_cert_verify-Issuer found: FortiAD.Info (SSL_DPI opt 1)

[500] fnbamd_cert_verify-Following cert chain depth 1

Verify the certificate subject, if enabled:

[675] fnbamd_cert_check_group_list-checking group with name 'PKI-Machine-Group'

[490] __check_add_peer-check 'LDAP-fortiad-Machine'

[492] __check_add_peer-'LDAP-fortiad-Machine' is not a peer user.

[490] __check_add_peer-check 'PKI-LDAP-Machine'

[366] peer_subject_cn_check-Cert subject 'CN = WIN10-01.fortiad.info'

Obtain the UPN from the certificate subject alternate name (SAN) field. In this case, it is the DNS name:

[426] __cert_ldap_query-LDAP query, idx 0

[448] __cert_ldap_query-UPN = 'WIN10-01.fortiad.info'

Filter the LDAP query to perform a lookup on the UPN attribute in the fortiad.info directory:

[1718] fnbamd_ldap_init-search filter is: (&(userPrincipalName=WIN10-01.fortiad.info)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

[1728] fnbamd_ldap_init-search base is: dc=fortiad,dc=info

Verify LDAP connection and user binding:

[1108] __ldap_connect-tcps_connect(10.88.0.1) is established.

[986] __ldap_rxtx-state 3(Admin Binding)

[363] __ldap_build_bind_req-Binding to 'fortiad\Administrator'

[1083] fnbamd_ldap_send-sending 43 bytes to 10.88.0.1

Beginning of DN search:

[1053] __ldap_rxtx-Change state to 'DN search'

[986] __ldap_rxtx-state 11(DN search)

[750] fnbamd_ldap_build_dn_search_req-base:'dc=fortiad,dc=info' filter:(&(userPrincipalName=WIN10-01.fortiad.info)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

DN entry found for the desired filter:

[1226] __fnbamd_ldap_dn_entry-Get DN 'CN=WIN10-01,CN=Computers,DC=fortiad,DC=info'

Begin searching for the MemberOf attribute for the DN entry:

[649] fnbamd_ldap_build_attr_search_req-Adding attr 'memberOf'

[661] fnbamd_ldap_build_attr_search_req-base:'CN=WIN10-01,CN=Computers,DC=fortiad,DC=info' filter:cn=*

[1083] fnbamd_ldap_send-sending 119 bytes to 10.88.0.1

Found all groups including the primary group:

[522] __retrieve_group_values-Get the memberOf groups.

[532] __retrieve_group_values- attr='memberOf', found 1 values

[542] __retrieve_group_values-val[0]='CN=VPNComputers,CN=Users,DC=fortiad,DC=info'

[1127] __fnbamd_ldap_read-Read 8

[1053] __ldap_rxtx-Change state to 'Primary group query'

[986] __ldap_rxtx-state 13(Primary group query)

[472] __get_one_group-group: CN=Domain Computers,CN=Users,DC=fortiad,DC=info

[1127] __fnbamd_ldap_read-Read 8

Authentication is accepted, matching the FortiGate PKI-LDAP-Machine PKI peer:

[1431] __fnbamd_ldap_primary_grp_next-Auth accepted

[377] __cert_ldap_query_cb-LDAP ret=0, server='LDAP-fortiad-Machine', req_id=1534052817

[388] __cert_ldap_query_cb-Matched peer 'PKI-LDAP-Machine'

[755] __ldap_destroy-

[271] __cert_resume-req_id=1534052817

[99] __cert_chg_st- 'Status-Query' -> 'Done'

User group PKI-Machine-Group is matched:

[833] fnbamd_cert_check_matched_groups-checking group with name 'PKI-Machine-Group'

[121] fnbamd_ldap_dn_match-DN 'CN=VPNComputers,CN=Users,DC=fortiad,DC=info' is matched with 'CN=VPNComputers,CN=Users,DC=fortiad,DC=info', idx=0.

[895] fnbamd_cert_check_matched_groups-matched

To verify FortiClient can connect to the tunnel during Windows logon:

The earlier test verified a user can connect to the VPN using the machine certificate. The following verifies that FortiClient can connect to the VPN during Windows logon.

  1. Disconnect the current VPN connection by going to clicking Disconnect on the FortiClient Remote Access tab. A VPN down notification appears on the endpoint.
  2. In FortiOS, verify the VPN is down in Dashboard > Network > SSL-VPN widget.
  3. Sign out of the current Windows session to arrive at the Windows logon screen.
  4. In the user sign-in page, the following prompt appears:

    If the prompt for VPN tunnel does not appear, click Sign-in options and select the FortiClient icon.

  5. Enter the user password and sign in to Windows. Windows shows the progress and briefly shows a Connecting to VPN (machine-cert-vpn)… message. A message appears to indicate the VPN connection succeeded.
  6. On the FortiGate, verify the connection is up.