Error : (No cookie given) about openfortivpn HOT 25 CLOSED

Hi,
Authentication failure probably means openfortivpn is not (yet) compatible with your gateway VPN version. Do you know what version it is?

from openfortivpn.

No,I don't have any information about it.

from openfortivpn.

Hi,
I am experiencing exactly the same behaviour, using openfortivpn version 1.1.4 on Fedora, Fortigate firmware is 5.2.4.

from openfortivpn.

Hello,
same problem persists on openfortivpn-1.1.4-1.fc23.x86_64.
If you need some debugging support feel free to contact me.

from openfortivpn.

I have never been logged on the https://host:port/ from the browser.

I have to logon on the https://host:port/ from the browser to persuade the fortinet to issue the cookie which was later consumed through the openfortivpn commandline application and then it starts to work nice.

This seems to be bug of the openfortivpn so that it rely on previous login on the webpage. This should be done automgically since the webpage, login and password is known to the openfortivpn.

from openfortivpn.

Hi @4ndrej, thanks for this information.

Have you tried the latest version? (I just made a fc23 build for you at https://kojipkgs.fedoraproject.org//work/tasks/3662/15863662/openfortivpn-debuginfo-1.2.0-1.fc23.x86_64.rpm)

If it doesn't work, do you feel like changing the code to automate the logon you describe? Contributions are welcome! (Unfortunately I don't have much time to do it myself, and I can't test my changes since I don't have access to a Fortinet VPN anymore.)

from openfortivpn.

Hello @adrienverge,
I installed your build and it's the same behaviour. Non-root VPN is not working, root VPN is working fine.
I am not sure what I am supposed to do with your openfortivpn-debuginfo but it complains:

openfortivpn.debug
bash: ./openfortivpn.debug: bad ELF interpreter: No such file or directory

When I start the VPN through Network manager it does not work as it was not working before.
Here is the log:
Sep 30 00:22:02 iks NetworkManager[1207]: VPN connection 'FortiSSL' (ConnectInteractive) reply received.
Sep 30 00:22:02 iks NetworkManager: ** Message: openfortivpn started with pid 28262
Sep 30 00:22:02 iks NetworkManager[1207]: VPN plugin state changed: starting (3)
Sep 30 00:22:02 iks NetworkManager[1207]: VPN connection 'FortiSSL' (Connect) reply received.
Sep 30 00:22:02 iks NetworkManager: INFO: Connected to gateway.
Sep 30 00:22:02 iks NetworkManager: INFO: Authenticated.
Sep 30 00:22:02 iks NetworkManager: INFO: Remote gateway has allocated a VPN.
Sep 30 00:22:02 iks audit: AVC avc: denied { read write } for pid=28262 comm="openfortivpn" name="ptmx" dev="devtmpfs" ino=1121 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file permissive=0
Sep 30 00:22:02 iks NetworkManager: ERROR: forkpty: No such file or directory
Sep 30 00:22:02 iks NetworkManager: INFO: Closed connection to gateway.
Sep 30 00:22:02 iks NetworkManager: INFO: Logged out.
Sep 30 00:22:02 iks NetworkManager[1207]: VPN plugin state changed: stopped (6)
Sep 30 00:22:02 iks NetworkManager[1207]: VPN plugin state change reason: unknown (0)
Sep 30 00:22:02 iks NetworkManager[1207]: error disconnecting VPN: Could not process the request because no VPN connection was active.

I am not sure what could be the output of my hacking the sources, it's been ages since I compiled my last c++ project so my offectivity will be near zero. I can test the builds if you provide some howto.

from openfortivpn.

Hi,
I have installed and copiled openfortivpn as you describen on mac os sierra (10.12 (16A323))
sudo openfortivpn --version
1.1.3
But, while i try to connect ; having : Could not authenticate to gateway (No cookie given).
Could you please assist me on this issue
Thanks & Regards
Sibel.

sudo openfortivpn -vvv
DEBUG: Loaded config file "/etc/openfortivpn/config".
DEBUG: Config host = "XX.XX.XXX.XX"
DEBUG: Config realm = ""
DEBUG: Config port = "10443"
DEBUG: Config username = "username"
DEBUG: Config password = "********"
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Connected to gateway.
ERROR: Could not authenticate to gateway (No cookie given).
INFO: Closed connection to gateway.
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Logged out.

from openfortivpn.

@sibela login to XX.XX.XXX.XX website. Then connect openfortivpn again. It's known bug.

from openfortivpn.

Hi Andrej
As your comment ; i connected via website first then connected openfortivpn, i only get "ERROR: write: Input/output error" error. output is like below .
But even if it seems connected at website , servers can not be reached

sudo ./openfortivpn -vvv
DEBUG: Loaded config file "/etc/openfortivpn/config".
DEBUG: Config host = "XX.XX.XXX.XX"
DEBUG: Config realm = ""
DEBUG: Config port = "10443"
DEBUG: Config username = "Username "
DEBUG: Config password = "********"
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Connected to gateway.
INFO: Authenticated.
DEBUG: Cookie: SVPNCOOKIE=0PZgvGi2thtclT4uh/4sI8EBnE5FpznpJt9e4Zyy/qD5LrNn/d1jpVP0W4lgmcZC%0aGkoDV5pbNQjStaFbGL2ErklC0QtA9anX+0h8lWSwMTee+ZS9fFI/KXDTB7GgwPL6%0aOf1U6lSEE8r0jEeIj0T1DfqrU4/gen1VU2SxQUqmC/sE5ZsrBJfFH5a1TmTGaNjd%0a7IIQT//xsAYoJCXuMs3R2Q==%0a
INFO: Remote gateway has allocated a VPN.
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
DEBUG: pppd_read_thread
DEBUG: ssl_read_thread
DEBUG: ssl_write_thread
DEBUG: if_config thread
DEBUG: pppd_write thread
DEBUG: pppd ---> gateway (16 bytes)
pppd: c0 21 01 01 00 0e 01 04 05 4a 05 06 7a cc b9 73

DEBUG: gateway ---> pppd (12 bytes)
gtw: c0 21 01 01 00 0a 05 06 8b 0c 86 60

DEBUG: pppd ---> gateway (12 bytes)
pppd: c0 21 02 01 00 0a 05 06 8b 0c 86 60

DEBUG: gateway ---> pppd (16 bytes)
gtw: c0 21 02 01 00 0e 01 04 05 4a 05 06 7a cc b9 73

DEBUG: pppd ---> gateway (37 bytes)
pppd: c0 21 05 02 00 23 4d 50 50 45 20 72 65 71 75 69 72 65 64 20 62 75 74 20 6e 6f 74 20 61 76 61 69 6c 61 62 6c 65

WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
ERROR: write: Input/output error
WARN: read returned 0
INFO: Cancelling threads...
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0
WARN: read returned 0

from openfortivpn.

I did not fixed the ("ERROR: write: Input/output error"), but if you get this error, try to connect through network manager fortissl plugin. It should connect properly.

from openfortivpn.

Just to make sure, which exact version of openfortivpn is this? You wrote:

sudo openfortivpn --version
1.1.3

I guess you meant 1.3.1, but then it might be worth checking 1.4.0.

from openfortivpn.

@sibela Sorry, this is an old post, so its might have been 1.1.3 after all. In any case it might be worth trying out a recent version.

@caaarlos Do you actually see this error with recent versions of openfortivpn? Which version?

from openfortivpn.

@DimitriPapadopoulos , I'm using the 1.3.0. On the Gentoo's official repository there is only the 1.3.0 version.

from openfortivpn.

@caaarlos Alternatively you could compile a more recent version. I believe this has been fixed in openfortivpn 1.3.1 or newer.

from openfortivpn.

Since this seems to have been fixed in openfortivpn 1.3.1 and newer, I'm closing this ticket.

from openfortivpn.

@DimitriPapadopoulos
Hello - I've built and installed the 1.4.0 version
openfortivpn --version 1.4.0
but I am still receiving the same error

DEBUG: Gateway certificate validation failed. DEBUG: Gateway certificate digest found in white list. INFO: Connected to gateway. ERROR: Could not authenticate to gateway (No cookie given). INFO: Closed connection to gateway. DEBUG: Gateway certificate validation failed. DEBUG: Gateway certificate digest found in white list.

Is there anything I can try to resolve this issue?
Thanks

from openfortivpn.

Hello @gitgabrio ,

Now we have a different error. I have seen this error message ERROR: Could not authenticate to gateway (No cookie given) on my system when I had a typo in the password. Unfortunately, FortiOS on the server side always logs SSL VPN login fail [...] type=event subtype=vpn level=alert vd="root" logdesc="SSL VPN login fail" action="ssl-login-fail" tunneltype="ssl-web" [...] reason="sslvpn_login_unknown_user" msg="SSL user failed to logged in", even if the user exists and is member of a group that is allowed to use ssl vpn. Can you double-check the credentials and permissions?
In the earlier posts at least authentication has worked ( INFO: Authenticated. [...] INFO: Remote gateway has allocated a VPN.) but now it didn't reach that point.

regards, Martin

Edit: Sorry, I just see that the first messages of this issue actually were about authentication failure like you are seeing, but then, once those problems were solved, the discussion went a bit off-topic. Anyhow, double-checking the credentials and the permission to use ssl vpn could be a new hint in this discussion.

from openfortivpn.

Hi @mrbaseman
yes, you are correct, it was an issue with the password: it was changed and I did not updated the config file.
Now it works perfectly.
I don't know if it would be possible to change the error message in this situation, anyway I agree with your suggestion.
Thanks!

from openfortivpn.

from the client side we don't see why the server closes the connection. It could be incompatibilities between client and server, it could be that the user does not exist or is not allowed to use ssl vpn, and it could be wrong credentials as one of the possible reasons for this situation.
There is also a security aspect why the server stays so quiet before a user is correctly authenticated: If it were more verbose, the information leaked by the server helps an attacker to enumerate login names and to draw conclusions how to continue a series of attacks with a minimal effort. And that's what one wants to avoid under any circumstances.
The other part of the story is the log on the server side (unrelated to openfortivpn): I have also opened a ticket with Fortinet to make the log entry on the server side more accurate about the real cause of the hangup, but received just a vague answer that it is difficult to change the log messages for an already released OS version, and maybe there will be an improvement in a future major release (I haven't looked at 5.6 yet, maybe it is more transparent there).

from openfortivpn.

In my case, I had to write a config file, it seems that the command line option (they where the same) and the password was correct, but I had a weird warning:

WARN: Bad port in config file: "0". DEBUG: Loaded config file "/usr/local/etc/openfortivpn/config".

from openfortivpn.

@nicocesar Not sure why you had to write a config file. Anyway the warning means /usr/local/etc/openfortivpn/config contains an incorrect port line.

The warning message should probably be fixed though, as it reports a value "0" for port even when the line looks like this:
port =

I suggest you open a new ticket for each issue you encounter.

from openfortivpn.

I also experienced the ERROR: Could not authenticate to gateway (No cookie given) when connecting to a recently upgraded Fortinet gateway.

After logging in to the gateway via browser, CLI fortinet worked.

When in the situation of no browser, lynx worked.

1. 'yum install lynx'
2. Enable Cookies
3. 'lynx https://you-vpn-url.com:443/

• Where 443 is your VPN gateway port.

from openfortivpn.

@jlchatha Are you positive the "no cookie given" issue was solved by connecting to the gateway with a web browser? Can't it be anything else?
I'm asking because I cannot imagine a local relation between the web browser and openfortivpn, on the client side. Therefore the web browser would have to change something on the FortiGate device in a way openfortivpn doesn't, which in turn would enable later openfortivpn connections. That's possible of course but sounds far fetched. In any case I don't know enough about the internals of FortiGate devices to be of any help here.

from openfortivpn.

In my case I think it was as follows.
I have upgraded my Fortigate directly from 5.2 to 5.6 which is not recommended. Nevertheless, most things worked, but I have lost local users and groups, so I had to recreate the accounts, groups, and portal mappings and then reimport policies that contain users or groups. Also, when users are recreated the Fortitokens need to be redeployed.
It took me some time to understand the whole picture and fix everything. Until then, authentication simply didn't work. Doublechecking with Forticlient always helps to rule out problems with the client or its configuration.
Maybe your admin was struggling with similar problems and eventually solved them when you decided to try logging in via web browser.
The background for all this is that Fortinet has changed the password hashing algorithm. When upgrading from Fortios 5.2 to 5.6 one should follow the instructions in the release notes and go via 5.4. In this procedure I think the hashes are converted somehow, but when uprgading directly, 5.6 doesn't understand the old hashes during import of the configuration, and just skips everything that depends on objects that contain something which can not be imported into a mandatory setting (a user must have a password hash).

from openfortivpn.