Staff

Troubleshooting Tip: If an error during 'SSL VPN+Certificate Authentication', the 'Enable Invalid Server Certificate Warning' can be beneficial

Forum|Forum|1 year ago
April 14, 2025
0 replies
1806 views

Description

This article describes where enabling the 'Invalid Server Certificate Warning' is beneficial.

Scope

FortiClient, FortiClient EMS, SSL VPN, and FortiGate.

Solution

If SSL VPN authentication attempts are encountering a -7200 error while using FortiClient, and the SSL VPN Web Mode is functioning correctly, similar logs may be observed in FortiGate. This is usually due to a recently renewed SSL VPN certificate.

FG100 # [317:root:1...]allocSSLConn:310 sconn 0x7f7... (0:root)
[317:root:1...]SSL state:before SSL initialization
[317:root:1...]SSL state:fatal decode error
[317:root:1...]SSL state:error:(null)
[317:root:1...]SSL_accept failed, 1:unexpected eof while reading
[317:root:1...]Destroy sconn 0x7f7..., connSize=0. (root)
[462:root:1...]allocSSLConn:310 sconn 0x7f7... (0:root)
[462:root:1...]SSL state:before SSL initialization
[462:root:1...]SSL state:before SSL initialization
[462:root:1...]got SNI server name: vpn.domain.com realm (null)
[462:root:1...]client cert requirement: no

To resolve the issue, enable the 'Enable Invalid Server Certificate Warning' option by navigating to 'EMS -> Endpoint Profiles -> Remote Access -> Enable Invalid Server Certificate Warning'. After enabling this option, re-attempt the connection. FortiClient will prompt to trust the certificate authentication again, after which may proceed with the connection.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded