Skip to main content
Roland_ITIG
Roland_ITIG
New Member
December 4, 2024
Question

No "Server Certificate Warning" prompt with FortiClient VPN 7.4.1.1736 SSL-VPN

  • December 4, 2024
  • 2 replies
  • 2516 views

Hi,

 

We work with FortiClient VPN 7.4.0.1658 with one predefined SSL-VPN Gateway to an external Partner (User and Password, no Client Certificate, Port 18443) on Windows Server 2016 VMWare ESXi.

The connection is established after confirming the "Server Certificate Warning" for FGVM2VTM23001833 fortinet-subca2001.

 

After updating FortiClient VPN to 7.4.1.1736 the "Server Certificate Warning" is no longer prompting and no  connection possible.

 

On a reference client outside my company network it works.

Exporting the certificate there and importing it on the Server does'nt change.

After downgrading FortiClient VPN to the previous version on the Server the connection works fine again.

 

Any idea ? Thanks,

Roland

 

2024-11-27 10_10_51 Config.png

 

2024-11-27 10_10_52 - Certificate Security Alert.png

 

2024-11-27 10_10_53 - Certificate Security Alert.png

2 replies

sjoshi
Staff
sjoshi
Staff
December 4, 2024

Hi,

 

Please share below logs while connecting the SSL VPN.

 

PuTTY SSH1:
------------

get vpn ssl monitor
diagnose vpn ssl list
diagnose firewall auth list
dia vpn ssl statistics
exec vpn sslvpn list
get system status
diag vpn ssl stat


PuTTY SSH2:
------------

diag sys flash list
diag debug reset
diagnose debug console timestamp en
diagnose vpn ssl debug-filter src-addr4 x.x.x.x - Here x.x.x.x is the public IP of the user connecting.
diag debug appl sslvpn -1
diag debug appl fn -1
diag debug enable

wait till the VPN disconnect, disable the logs by executing

diag debug disable
diag debug reset

If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.
    Roland_ITIG
    Roland_ITIGAuthor
    New Member
    December 6, 2024

    Hi,

    Thanks for your reply - The gateway is operated by our external partner and so i cannot debug the SSL VPN from my side.

     

    Regarding to the known issues (SSL VPN) 7.4.1 versus 7.4.0 I think about testing another version.

    https://docs.fortinet.com/document/forticlient/7.4.1/windows-release-notes/743101/existing-known-issues

    https://docs.fortinet.com/document/forticlient/7.4.0/windows-release-notes/743101/existing-known-issues

     

    Do you have a link from where to download for example "FortiClientVPNSetup_7.2.6.1076_x64.exe" ?

    Roland

    funkylicious
    SuperUser
    funkylicious
    SuperUser
    December 6, 2024

    try here 

    "jack of all trades, master of none"
      pminarik
      Staff
      pminarik
      Staff
      December 6, 2024

      Have a look into the details of the certificate. It can only be trusted for the domains, or IPs, listed in its Subject Alternative Name extension (may or may not be present if you scroll down in the list of attributes). If the extension is not present, FortiClient will not be able to trust it at all.

       

      The certificate requirements are the same as for browsers trusting websites.

       

      The proper course of action is for the administrator of that FortiGate to use a valid public certificate for the domain that is used as the SSL-VPN's address. Anything else is bad practice and a potential security issue waiting to blow up.

        Roland_ITIG
        Roland_ITIGAuthor
        New Member
        December 6, 2024

        Hi, thanks for the hint:

        Using the gateway like in the screenshot the certificate has wrong data,

        using an alternate gateway from my external partner returns correct certificate data.

        I will report them

        Terms & ConditionsAccessibility statement