Skip to main content
ArnaudL
ArnaudL
New Member
February 23, 2024
Question

VPNSSL connection almost impossible, reset at 98%

  • February 23, 2024
  • 5 replies
  • 11813 views

Hi all !

 

Latest version of FortiClient VPN (7.0.11.0569), latest FGT firmware (v7.0.14 build0601)

I am using a Windows 11 insider dev channel. Since last weeks upgrade (build 26058 release 240209-1555), I am almost unable to connect via SSLVPN.

Nothing has changed appart from this upgrade, all the other remote users running "standard" windows 11 versions have absolutely no problem.

 

My client log is filled with errors that I found on other threads but with no solution :

error: poll_send_ssl ->SSL_get_error(): 5, try:1
error: poll_send_ssl -> WSAGetLastError():2745, try:1
error: poll_send_ssl ->data size: 66, try:1
[handle_driver_read_event]: error: poll_send
error: poll_recv_ssl -> SSL_get_error(): 5
error: poll_recv_ssl -> WSAGetLastError():2745
error: polling recv, try:1

etc....

 

If I insist a lot, after some time it will connect (maybe 20 retries), and the log looks absolutely normal (nothing logged appart from connection established).

 

On the Fortigate side, I have "SSL web application blocked", and "ssl exit error, reason DH Lib".
I have no idea what this is, and above all why it sometimes work !

 

Can some help me on this matter ? Thanks a lot !

 

PS : there is not client certificate, as some support pages mention this.

5 replies

johnathan
Staff
johnathan
Staff
February 23, 2024

I would try turning off IPv6 on both the Ethernet and SSLVPN adaptor within your network settings.

Please try and see if a specific Windows Update is installed with the PowerShell command: 'Get-Hotfix  KB2693643'. This update can cause the issue you are seeing.

Never trust a computer you can't throw out a window.
    ArnaudL
    ArnaudLAuthor
    New Member
    March 4, 2024

    This hotfix does not seem to be installed, but as I mentioned I am using a dev channel windows 11 version, so this might by included in the base version of the OS rather than in a hotfix, right ?

    Rajneesh
    Staff
    Rajneesh
    Staff
    February 24, 2024

    Hello @ArnaudL 

    The possible reasons are  for disconnection at <98%> :

    • Issues at this stage usually occur due to a corrupted installation of FortiClient or due to OS problems.
    • Reinstall the FortiClient software on the system.
    • Check for compatibility issues between FortiGate and FortiClient.
    • This may also occur when attempting to negotiate SSL VPN with the free version of FortiClient.

    You can refer this KB for reference :
    https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Possible-reasons-for-FortiClient-SSL-VPN/ta-p/211965
    Link for FortiGate and FortiClient compatibility link :
    https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/afec3249-ed3f-11ea-96b9-00505692583a/forticlient_ems-compatibility-matrix.pdf

     

      ArnaudL
      ArnaudLAuthor
      New Member
      March 4, 2024

      Hi @Rajneesh 
      I have reinstalled many times already, including older versions of the forticlient.
      Forticlient and Fortigate are at the latest version, as mentioned in my original message, so incompatibility is unlikely.

      Using the free version of Forticlient should not be a problem so we cannot investigate this possibility any further as we will not move to EMS.

      esalija
      Staff
      esalija
      Staff
      February 24, 2024

      Dear @ArnaudL 

       

      Please can you disable IPv6 on the NIC of the client machine and try again.

      Please follow the KB - https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-fails-at-98/ta-p/248363

      Best regards,

      Erlin

        ArnaudL
        ArnaudLAuthor
        New Member
        March 4, 2024

        Hi @esalija , thanks for the tip.
        Do you mean the physical NIC, or the virtual Fortinet SSL VPN Virtual adapter ?

         

        Edit : sorry, I had not seen the reply by @johnathan . I'll give it a try, but disabling ipv6 on my physical adapter is not a viable solution.

        ArnaudL
        ArnaudLAuthor
        New Member
        March 5, 2024

        @esalija and @johnathan 
        I am working remotely today so I gave it a try but it does not help. Disabling IPv6 in both the Fortinet SSL VPN adapter and my Wifi interface made no difference.

        ArnaudL
        ArnaudLAuthor
        New Member
        March 5, 2024
        @ArnaudL wrote:

        If I insist a lot, after some time it will connect (maybe 20 retries), and the log looks absolutely normal (nothing logged appart from connection established).

        I had to retry for about 1 hour to finally get connected this morning.

        hbac
        Staff
        hbac
        Staff
        March 5, 2024

        Hi @ArnaudL,

         

        Please refer to https://community.fortinet.com/t5/FortiClient/Technical-Tip-Interpreting-WSAGetLastError-in-FortiClient-Debug/ta-p/191800

         

        Based on your FortiClient logs "WSAGetLastError():2745", 2745 in hexadecimal is = 10053 in decimal and based on Microsoft link below, WSAECONNABORTED 10053 = Software caused connection abort. An established connection was aborted by the software in your host computer, possibly due to a data transmission time-out or protocol error.

         

        https://learn.microsoft.com/en-us/windows/win32/winsock/windows-sockets-error-codes-2

         

        Is there any third party software that might conflict with FortiClient? Have you tried different internet connection (wifi/ethernet)?

         

        Regards, 

         

         

        ArnaudL
        ArnaudLAuthor
        New Member
        March 5, 2024

        Hi @hbac 

        I am on a corporate computer, so my configuration is the same as all the other workstations (same hardware, same security software).

        I am the only one having this problem, but as I already mentionned I am also the only one running windows 11 insider preview dev channel.
        This occurred right after the latest insider preview upgrade. In fact maybe not the latest but the one mentioned in my original post.

         

        I'm quite confident the problem came with this upgrade, so this would be an OS/Forticlient compatibility issue. I have no way to be sure of this, this is just the way the problem arose suddenly and the fact that I am the only one with this problem that makes it obvious to me.

        ArnaudL
        ArnaudLAuthor
        New Member
        March 15, 2024

        Update
        It is still a nightmare to connect (I have to try for sometimes 30 minutes), but I found out that disconnecting and reconnecting my wifi sometimes helps. It does not always work but after a dis/reconnection I definitively have a higher success rate.
        Please note that my personal computer, on the same network, has no problem at all connection to this sslvpn endpoint. Not the same windows version, obviously.

          Terms & ConditionsAccessibility statement