Troubleshooting FortiGate SSLVPN problems

Configuring SSLVPN with FortiGate and FortiClient is pretty easy. Nevertheless problems may occur while establishing or using the SSLVPN connection.

If the negotiation of SSLVPN stops at a specific percentage:

  • 10% – there is an issue with the network connection to the FortiGate. Verify that the client is connected to the internet and can reach the FortiGate. Double-check that the FortiClient configuration has set the correct IP and port of the Fortigate.
  • 31% – this percentage is also shown as Error -5029. If this message is shown, there is a mismatch in the TLS version. Check, if the TLS version that’s in use by the FortiGate is enabled on your client.
  • 40% – there is an issue with the certificates or the TLS negotiation. If you are using the default FortiGate certificate, the client is probably not trusting this certificate. In this case the user is shown a popup window to confirm the validity of the certificate. Make sure that this popup window is not hidden behind other windows. If the client is using CRL or OCSP make sure that the FortiGate certificate can be checked against those protocols.
    Additionally, it is possible that the TLS versions of Client and FortiGate are not matching. This KB article describes how to check the TLS versions for SSLVPN on the FortiGate. And this KB article explains how to check the TLS versions on a windows client.
  • 48% – 2FA issue
  • 80% – at this stage the username and password is verified. Please check user/usergroup/portal and firewall policy configuration on the FortiGate. If you are using a remote server you can troubleshoot this communication with the following KB articles: Radius and LDAP. Another reason for a failure at 80% is that you are not using the correct Realm. Please doublecheck that you are addressing the correct Realm.
  • 98% – hopefully you are not getting stuck at this point… this problem is most likely caused by a corrupted FortiClient installation and/or OS problems. This can probably be solved by reinstalling the FortiClient software on the computer.

Other error messages

“Unable to establish the VPN connection. The VPN server may be unreachable.”

This message appears if:
– The DNS lookup failed
– The Host could not be contacted (no answer to the TCP SYN packet)

General debugging of the SSLVPN negotiation

The CLI real-time debugger allows monitoring of the SSLVPN negotiation:
# diagnose debug enable
# diagnose debug application sslvpn -1
(now try to establish the SSLVPN connection)
(once the negotiation is done or stopped you can disable the debugger)
# diagnose debug application sslvpn 0
# diagnose debug disable

SSLVPN Timeouts

If the SSLVPN connection is established, but the connection stops after some time, you should double-check the following two timeout values on the FortiGate configuration:
# config vpn ssl settings
# set idle-timeout 300
# set auth-timout 28000

The idle-timeout is closing the SSLVPN if the connection is idle for more than 5 minutes (300 seconds). This configuration can be changed in the WebUI (SSL VPN settings) as well.
The auth-timeout is closing the SSLVPN connection based on the the authentication timeout. By default this is set to 8 hours (28800 seconds). So if therefore a SSLVPN connection is stopping after straight 8 hours, even though you are using the tunnel continuously, it’s very likely that you are hitting the authentication timeout.

Error message “SSL_accept failed, 1:unsupported protocol “SSL_accept failed, 5:(null)” at the end.

This message is shown on the “diag deb app sslvpn -1” output, when you try to connect with a FortiClient which license is expired.

Error Message “sslvpn_login_no_matching_policy” combined with “fam_auth_proc_resp:1229 fnbam_auth_update_result return: 3”

This message is shown on the “diag deb app sslvpn -1” output, when an LDAP authentication error causes problems. It may also be the case, that a user can be authenticated against a radius AND an ldap server at the same time (or a local user with a radius/ldap user at the same time). Ensure, that every SSL-VPN enabled user is present in only one group. SSL-VPN has an option that’s called “All Other Users/Groups”. All Other Users/Groups does really contain ALL other users and groups. So as soon as the user is present in the LDAP or RADIUS (even if not on any group and nowhere configured on the FGT), this user can authenticate as SSL-VPN user!

Therefore we recommend you to configure any remote authentication service like SAML, RADIUS and LDAP (and so on) to be configured as restrictive as possible. That means, that only users can authenticate over this service that really need to authenticate on the FGT. Restricting it with group membershits is not enough in this case of SSL VPN.

Additional comments on the FortiClient v6.2

If you are using the free “FortiClient v6.2 VPN(-only)” you have a limited feature set (please refer to FortiClient VPN 6.2) – for example you are not able to perform host-checks. Please make sure that you don’t have any (maybe legacy) host-checks configured in the SSLVPN portal on your FortiGate:
# config vpn ssl web portal
# show full | grep -f host-check

Update on IPv6 problems with FOS 6.2 and 6.4

As you can already read in the comments of this article, you can get in problems when the client is using an IPv6 connection or dual stack IPv4/IPv6. In this case you have to disable IPv6 on your client itself or in the SSLVPN settings of your FortiClient (Fortinet KB article).

Additional documentation

Loading

9 thoughts on “Troubleshooting FortiGate SSLVPN problems

  1. zerodeplus Reply

    Hello ! I found something that worked for me !

    Since yesterday I was stuck at 98% and I’ve tried everything (even reinstall Win10). And the “problem” found was my Internet connection !! I found myself really dumb after that !!! I need to log VPN forticlient and for that I was using my mobile phone hotspot…. It worked after I disable IPv6 to use IPv4 only !!!

    To disable IPv6 on Android device to use IPv4 only.
    Step 1 : Go to your Android device System Settings and tap on “Network & Internet”
    Step 2 : Tap on “Mobile network”
    Step 3 : Tap on “Advanced”
    Step 4 : Tap on “Access Point Names”
    Step 5 : Tap on the APN you are currently using
    Step 6 : “APN Protocol”
    Step 7 : Tap on “IPv4”
    Save the changes

    I hope that helps !

    • mm Reply

      Thanks for sharing your findings zerodeplus.
      Good to know that this can also lead to a VPN being stuck at 98%

      Regards,
      Markus

  2. thierry Reply

    My company use Zscaler.
    With zscaler activated, you are stuck at 98% as well
    Disabling it, make it work fine.

  3. Adryano Reply

    Thanks a lot ! I am trying to use FortiClient VPN 7.0.5.0238 with my phone Android Xiomi and was stuck in 98% and the fortclient log contain this error: RasGetEntryPropertiesWin7(fortissl) failed. (r=623)

    After disabling IPV6 of my APN protocol of my phone´s provider, it solved! Now i can connect remotly routing with my cell phone.

  4. Damien RICHARD Reply

    Disabling IPv6 on APN protocol is a good solution.
    I try to resolve this error with the registry key BlockIPv6 but the result is not correct.
    Someone would have a solution with parameters on the register side ?

  5. bobbyB Reply

    “Unable to establish the VPN connection. The VPN server may be unreachable.” Is also the message you see when you type in an incorrect password, strangely.

    • vla Reply

      Dear Bobby
      Thank you for your comment on our blog.
      I have tested this and I was not able to comprehend your statement and I was also not able to reproduce it.
      The message shown with an incorrect username or password on my setup was “Credential or SSLVPN configuration is wrong. (-7200)”. Therefore I suspect that you have another problem on connection level in your setup.
      I hope that helps you to solve your issue.
      Kind regards from the Tech Team

  6. UH Reply

    Two additional hints:
    45% – in our installation with RADIUS and 2FA by RADIUS infrastructure, the username/password combination is wrong.
    For example wrong username or wrong password for the username.
    98% – my gut feeling for a stuck here is an error in adding the (IPv4) routes. I run every time in this issue when I try to connect my IPv4 only SSLVPN firewall (FortiOS 6.4) from an Client (Win10) in a IPv6only-network with NAT64/DNS64.
    For me it looks like FortiClient runs through all authorisation and authentication processes but fails to set an IPv4 hostroute to SSLVPN server because there is no IPv4 gateway…

Leave a Reply to zerodeplus Cancel reply

Your email address will not be published. Required fields are marked *