New Member

Question

VPN Client stuck at 40% with certificate error

Forum|Forum|4 years ago
November 20, 2021
10 replies
117304 views

We had a PC with a working Forticlient setup that recently stopped working. It gets stuck at 40% with the error "The server you want to connect to request identification, please chose a certificate and try again (-5)." I've read all over the forum and I've already tried:

- Ensured Internet Options have TLS 1.0, 1.1 and 1.2 enabled.

- Uninstalled and reinstalled Forticlient using latest versions (7.01.0083)

- Tried to restore previously know good configuration

- Ensured there is no "hidden window" for certificate authorization*

The same credentials work on other PCs so the issue seems to be on one PC (have a second PC with similar symptoms but haven't triaged that one yet). From the "bad" PC, we've tried accessing multiple gateways, all get the same error. So there seems to be something awry with this PC. As far as I know we don't use any certificates, at least nothing didn't come preinstalled. It is possible when the problem first showed up that there was a popup window and we hit accidentally hit "no" on the certificate authorization, but I would have figured a clean uninstall / reinstall would have cleared that flag. It is almost like this PC corrupted itself in a way a fresh install didn't fix.

Any suggestions would be appreciated. We're at a loss here.

kiri

Staff & Editor

Hi johna-eximiusdesign,

Check if the enabling the following in FCT settings helps:
Do not Warn Invalid Server Certificate
https://docs.fortinet.com/document/forticlient/7.0.2/administration-guide/682005/vpn-options

This is no solution to the actual issue, untrusted cert, but it should allow you to connect.
Bear in mind that FOS 7.0.2 has now ACME certificate support. You can request a certificate signed by Let's Encrypt and use it for VPN access and avoid these errors.

https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/822087/acme-certificate-support

Let me know if this helps.

johna-eximiusdesignAuthor

New Member

Hi cchiriches,

Sincere thanks for responding. I've tried the Do Not Warn Invalid Server Certificate flag a few times and it had no appreciable effect. It looks like from version 6 to 7, the FortiClient VPN "Do Not Warn on Invalid Certificate" flag went from a per connection option to a global one, but I still see <warn_invalid_server_certificate> in the configuration xml on both the global <sslvpn> options and inside the individual <connection>. So, I've set both to 0 (i.e. do not warn) as well as tried the GUI options. It didn't seem to have any effect and still fails in the same way with the same error.

I've read that invalid TLS settings can sometimes be reported as invalid certificate, so I did play with those and made sure TLS 1.0, 1.1 and 1.2 were enabled. As proof, I disabled the one-by-one and when I disabled TLS 1.2 I saw a different error about TLS negotiation, so I feel confident I have those set correctly. Is there anything else that can show up as a "certificate" error that would not be masked by the "Do Not Warn on Invalid Certificate" flag?

Also, I wasn't able to gleem anything from this, but here is the error log event from FortiClient. Note I scrubbed the IP addresses / macIDs / names / uid / devid / hostname / serial number and replaced them with garbage, but I tried to leave everything else alone.

11/21/2021 3:20:15 PM error sslvpn date=2021-11-21 time=15:20:14 logver=1 id=96603
type=securityevent subtype=sslvpn eventtype=error level=error
uid=12345678 devid=abcdef
hostname=machine1 pcdomain=N/A deviceip=1.1.1.1
devicemac=11-22-33-44-55-66 site=N/A fctver=7.0.1.0083
fgtserial=FCT800199999999 emsserial=N/A
os="Microsoft Windows 8.1 , 64-bit (build 9600)" user=john
msg="SSLVPN tunnel connection failed" vpnstate= vpntunnel=SJC
vpnuser=johna remotegw=1.2.3.4

Does anything there mean anything to you?

Possibly related (or entirely useless), I did look through the Microsoft Event Logs and I did find that I get 3 of these errors every time I try to connect.

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 51. The Windows SChannel error state is 808.

Decoding 0x51 results in a SEC_E_DECRYPT_FAILURE which means exactly that, the TLS was unable to decrypt something. I don't usually find Windows Event Logs particularly meaningful, but if you see something, let me know.

Again, thanks very much for the help. I really do appreciate it.

John

kiri

Staff & Editor

Hi John,

No worries

1. Is there anything else that can show up as a "certificate" error that would not be masked by the "Do Not Warn on Invalid Certificate" flag?
- I'm unaware of that.

2. Also, I wasn't able to gleem anything from this, but here is the error log event from FortiClient. Note I scrubbed the IP addresses / macIDs / names / uid / devid / hostname / serial number and replaced them with garbage, but I tried to leave everything else alone.
- Was log level set to Debug?

I'm afraid it's not that much in these logs, probably Info level, not debug.

I've checked internally for "The TLS protocol defined fatal error code is 51." and "The Windows SChannel error state is 808.", no relevant results.

Please answer the following:
Which FCT version, free or paid?
Did you try other versions? Which?
Which FOS?
Does the web ssl portal work from this pc?

If you run a debug for a working and a non-working example, I can take a look at it:

diag debug reset
diagnose debug cons time en
diag debug application fnbamd -1
diagnose debug app sslvpn -1
diagnose debug enable

To disable the debug type "di de di".

johna-eximiusdesignAuthor

New Member

Hi cchiriches,

The log was set to Debug, but so far, I have not seen any difference in the log output from Debug, Info, or any of the other options.

So far, I've observed the issue on:

FortiClient VPN Only 6.4 (free)

FortiClient VPN Only 7.0.1.0083 (free)

FortiClient ZTFA 7.0.1.0083 (trial)

The behavior for all 3 is identical. Get to 40%, sits for a longish while (~ 60 sec, which is much longer than typical fails) and then gives up with the "The server you want to connect to request identification" message. I'm still working on getting the credentials for our FortiGate server from IT (its a convoluted process, but they promised they would and I've got the CTOs backing), so I'm not 100% on what our license there covers.

I'm not sure I know what FOS is (too many TLAs to keep track of :). If you are asking about OS, the client is on Windows 8.1.

I did confirm my TLS / SSL works for multiple browsers on my PC (at least TLS 1.2) at the SSLLabs site: clienttest.ssllabs.com:8443/ssltest/viewMyClient.html (let me know if you have a different one I should use). I have tried to VPN to two sites within our company with the same results, but I have not found an open 3rd party VPN to try to access. But since the same credentials work on ~6 other machines, include 2 personal PCs, one with a fresh install of the FortiClient, I think it is safe to say the issue is on my local PC.

What's bizarre is I've been using this PC and FortiClient for ~5 years, no major issues. Sometime between Wednesday night when I logged off and Thursday (11/18) morning, this issue arose. Nothing new installed. Logs say Teams and Zoom did an update overnight, but nothing else interesting seems to have happened.

Last night, I did generate a report using the "Diagnostics Tool" while it observed me trying to connect. If you want, I can share that with you. Its smallish (1MB) but it has some sensitive info (IP address, credentials, etc), so I'd rather not post it openly. Can you suggest a way I can send this to you like email?

I'm also happy to run the diag commands you listed, but I don't see how to enable them. Are they on the FortiGate side? Or is there a hidden switch someplace?

Also, I'm not sure if it is helpful, but I broke out WireShark to look at the packets. I can see the Client saying Hello, Server saying Hello, Server sending a Certificate and the Server saying "Hello Done" and sending a SHA256 key to the client. The Client then FINishes the TCP connection. The client then seems to repeat the sequence, starting over from Hello for two more times (which is consistent with the 3x Microsoft Logs errors). Because it is the local side that initiates the TCP termination, I gather the FortiClient is not happy about something. Maybe it is rejecting the certificate / key offered by the Server? Any insight there?

Thanks,

John

MFahmi

Visitor III

Are you using LDAP or Local?

If LDAP you can try reset the password and try again.

Usually this is because of incorrect credential.

johna-eximiusdesignAuthor

New Member

Hey MFahmi,

FYI, the same credentials work on at least three other machines (but we did reset the password anyway to no effect). There is something on this one PC that is somehow broken. The FortiClient VPN was used on a nearly daily basis for 2-3 years without issue, broke a few days ago, and hasn't worked since even with successive uninstall / install of FortiClient (with reboots in between for good measure), restoring configs from old working and from external machines, debug settings, etc.

The original error reported certificate issues, which from reading are sometimes masked as TLS version support issues. So I think I'm looking for something that could result in the same "certificate error" message from FortiClient, or some way the certificate is corrupted on this one machine.

Or I'm utterly confused, which is a nonzero possibility too.

John

karnold

New Member

So, having the same issue with multiple WIndows 11 machines. Background:

Use FGTs, 6.4.8 firmware. Forticlients ranging from 6.4.7 to 7.0.2.

Affected machines are running Windows 11. They all run well for a month or so, then after a random update cycle, the Forticlient stalls at 40% with no successful connections from that point on. Again, this isn't a random subset of Windows 11, this is ALL 3 machines that have been running Windows 11 (two were 10 to 11 upgrades, and my test machine is a clean install from ISO).

This was noted in the security logs:

- System

- Provider

[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {<redacted>}

EventID 5061

Version 0

Level 0

Task 12290

Opcode 0

Keywords 0x8010000000000000

- TimeCreated

[ SystemTime] 2022-05-25T00:14:05.5675258Z

EventRecordID 885204

Correlation

- Execution

[ ProcessID] 1124
[ ThreadID] 8564

Channel Security

Computer <redacted>

Security

- EventData

SubjectUserSid S-1-5-21-<redacted>
SubjectUserName karnold
SubjectDomainName <redacted>
SubjectLogonId 0x102e73
ProviderName Microsoft Software Key Storage Provider
AlgorithmName RSA
KeyName te-VPNUser-<redacted>
KeyType %%2500
Operation %%2480
ReturnCode 0x80090016

karnold

New Member

As for the Fortigate logs:

[280:root:1af]allocSSLConn:297 sconn 0x7f9fe63f00 (0:root)
[280:root:1af]SSL state:before SSL initialization (<redacted>)
[280:root:1af]SSL state:before SSL initialization:DH lib(<redacted>)
[280:root:1af]SSL_accept failed, 5:(null)
[280:root:1af]Destroy sconn 0x7f9fe63f00, connSize=6. (root)
[281:root:1af]allocSSLConn:297 sconn 0x7f9fe79b00 (0:root)
[281:root:1af]SSL state:before SSL initialization (<redacted>)
[281:root:1af]SSL state:before SSL initialization (<redacted>)
[281:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[281:root:1af]client cert requirement: yes
[281:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write change cipher spec (<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[281:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[281:root:1af]client cert requirement: yes
[281:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[281:root:1af]SSL state:TLSv1.3 write encrypted extensions (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write certificate request (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write certificate (<redacted>)
[281:root:1af]SSL state:TLSv1.3 write server certificate verify (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write finished (<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data:DH lib(<redacted>)
[281:root:1af]SSL_accept failed, 5:(null)
[281:root:1af]Destroy sconn 0x7f9fe79b00, connSize=5. (root)
[282:root:1af]allocSSLConn:297 sconn 0x7fa0a1f600 (0:root)
[282:root:1af]SSL state:before SSL initialization (<redacted>)
[282:root:1af]SSL state:before SSL initialization:DH lib(<redacted>)
[282:root:1af]SSL_accept failed, 5:(null)
[282:root:1af]Destroy sconn 0x7fa0a1f600, connSize=1. (root)
[283:root:1af]allocSSLConn:297 sconn 0x7f9fdc0a00 (0:root)
[283:root:1af]SSL state:before SSL initialization (<redacted>)
[283:root:1af]SSL state:before SSL initialization (<redacted>)
[283:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[283:root:1af]client cert requirement: yes
[283:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write change cipher spec (<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[283:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[283:root:1af]client cert requirement: yes
[283:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[283:root:1af]SSL state:TLSv1.3 write encrypted extensions (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write certificate request (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write certificate (<redacted>)
[283:root:1af]SSL state:TLSv1.3 write server certificate verify (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write finished (<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data:DH lib(<redacted>)
[283:root:1af]SSL_accept failed, 5:(null)
[283:root:1af]Destroy sconn 0x7f9fdc0a00, connSize=1. (root)
[284:root:1af]allocSSLConn:297 sconn 0x7f9fddcf00 (0:root)
[284:root:1af]SSL state:before SSL initialization (<redacted>)
[284:root:1af]SSL state:before SSL initialization (<redacted>)
[284:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[284:root:1af]client cert requirement: yes
[284:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write change cipher spec (<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[284:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[284:root:1af]client cert requirement: yes
[284:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[284:root:1af]SSL state:TLSv1.3 write encrypted extensions (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write certificate request (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write certificate (<redacted>)
[284:root:1af]SSL state:TLSv1.3 write server certificate verify (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write finished (<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data:DH lib(<redacted>)
[284:root:1af]SSL_accept failed, 5:(null)
[284:root:1af]Destroy sconn 0x7f9fddcf00, connSize=0. (root)
[285:root:1ae]allocSSLConn:297 sconn 0x7f9fd53100 (0:root)
[285:root:1ae]SSL state:before SSL initialization (<redacted>)
[285:root:1ae]SSL state:before SSL initialization:DH lib(<redacted>)
[285:root:1ae]SSL_accept failed, 5:(null)
[285:root:1ae]Destroy sconn 0x7f9fd53100, connSize=0. (root)

jimsokol

New Member

Did you look behind the FortiClient window for a "pop-under" with the cert warning?

karnold

New Member

No pop-ups. Goes to 40%, stalls, fails with the error:

The server you want to connect to requests identification, please choose a certificate and try again. (-5).

certificate was working prior to the updates, and you can see clearly in the login page it is selected.

ThiOliveira

New Member

Were you guys able to fix this? We´re having the same issue with the only person in our organization that is using Windows 11.

johna-eximiusdesignAuthor

New Member

Hi ThiOliveria,

No, I have not found any real solution. When I reinstalled the OEM windows environment, Forticlient logged in without any issues as it had done for years earlier. However, the first windows update patch broke it again with the same error (40% progress, bad certification error). Unfortunately, the first update is a big one and hard to "back out" that patch without reinstalling the entire OS, so I've kept the machine alive living on the OEM image with all of its foibles.

I try to monitor the postings looking for a fix, but so far I've not see anything. Please share if you find any leads.

celliott

Visitor III

Upgraded from 6.4.8 to 6.4.9 FOS to fix a bug and am experiencing the same issue as described here. We are using SAML for login with no certificate requirement. Randomly has the error about the cert, sometimes saying VPN server unreachable, sometimes just stalls at 98% and silently fails. Open case with Fortinet but not sure where it will end-up.

vforti

New Member

Hi,

Did you ever get a reply from Fortinet?

We tried various client versions of the 6 and 7 branch, but could not find one that works reliably.

We found that if one repeats the connection attempts, one eventually gets connected.

Thank you

muhammad-amjad

New Member

I Have the solution to this issue. Follow the step to fix stuck issues and share every one

installed offline forti client FortiClientVPNSetup_6.4.5.1657_x64 and try the stuck issue not coming after these steps.

muhammad-amjad

New Member

I Have the solution to this issue. Follow the step to fix stuck issues and share every one

installed offline Forti client FortiClientVPNSetup_6.4.5.1657_x64 and try the stuck issue not coming after these steps.

alex22207

New Member

I realize this is an old post, but I recently had a similar problem and I'll add my solution as it may benefit others. I'm running Forticlient version 7.2.4.0972 on Windows 11. The difference between this case and mine is that I received an unwanted certificate popup.

What solved the issue for me was deleting my personal certificates from the Windows certificate store. Even though I had not selected the option to authenticate with certificates, it appears that the Forticlient software was enforcing the certificate popup when it found certs in the Windows cert store. The only certs I needed to delete were in my "Personal" certificate store, and they were also visible in the certificate dropdown of the Forticlient VPN setup interface. When I deleted the certs, they were no longer visible in the setup dropdown and the authentication completed successfully.

I believe this is a bug, and I hope it gets fixed in future releases.

Catinator

Visitor III

Amazing, thank you so much for this. I wish Fortinet wolud communicate this fix to customers so we don't have to rely on the good will of community forum members.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded