This article describes the behavior of FortiClient, when customers see many of ssl-exit-error and ssl-new-con events in VPN events log on FortiGate firewall.

This is an expected behavior of FortiClient Window.

Developer Team:

It is common to do a probe connect first (attempt a socket connection with 3 seconds timeout, then close the connection right away if then connection is OK), then start the actually login process.

The reason for this behavior is that we use Windows API to make those HTTPS calls for the login process. If the server is not reachable, the windows API will take a long time to timeout (and there is no way to set the timeout for those calls), for the user, it looks very bad, so we first probe the server is OK, then start the login process.

Reproduce the behavior in TAC-KL lab:

Before the actual login from user1 (Remote IP: 10.47.2.4), there were events of ssl-new-con and ssl-exit-error from user N/A.

In ssl-exit-error event, we also observed the reason of 'DH lib' – similar in customer’s logs.

In ssl-new-con event, we also observed the reason of 'N/A' – similar in customer’s logs.

User1 was considered as login successfully after these 2 events: user logged successfully and the tunnel was established with tunnel IP address: 10.212.134.200.