Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
js2
Staff
Staff

Created on ‎03-31-2021 07:37 AM Edited on ‎08-17-2025 09:49 PM By Community Manager

Article Id 193817

Technical Tip: FortiClient SSLVPN gets struck at 80%

Description

 

This article describes a scenario where SSLVPN MAC based host check was configured.

Even though the MAC address was allowed in the rule the VPN gets struck at 80%.

Solution


Error obtained:

 

Unable to establish the VPN Connection. The VPN Server maybe Unavailable (-14)

 

Debug observed:

 

[229:root:38a]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[229:root:38a]req: /remote/logincheck
[229:root:38a]rmt_web_auth_info_parser_common:470 no session id in auth info
[229:root:38a]rmt_web_access_check:723 access failed, uri=[/remote/logincheck],ret=4103,
[229:root:38a]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[229:root:38a]rmt_logincheck_cb_handler:1189 user 'test' has a matched local entry.
[229:root:38a]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy.
[229:root:38a]sslvpn_authenticate_user:191 authenticate user: [test]
[229:root:38a]sslvpn_authenticate_user:198 create fam state
local auth is done with user 'test', ret=0
[229:root:38a]fam_auth_send_req_internal:461 fnbam_auth return: 0
[229:root:38a]fam_auth_send_req_internal:470 authentication OK
[229:root:38a]fam_do_cb:654 fnbamd return auth success.
[229:root:38a]SSL VPN login matched rule (1).
[229:root:38a]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[229:root:38a]rmt_web_session_create:781 create web session, idx[3]
[229:root:38a]login_succeeded:523 redirect to hostcheck      <- Redirection to host check happens and the session gets disconnected.
[229:root:38a]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[229:root:38a]deconstruct_session_id:426 decode session id ok, user=[test],group=[Developers],authserver=[],portal=[full-access],host=[117.194.164.191],realm=[],idx=3,auth=1,sid=192c3652,login=1617175942,access=1617175942,saml_logout_url=no
[230:root:389]sslvpn_read_request_common,648, ret=-1 error=-1, sconn=0x33a6d280.
[230:root:389]Destroy sconn 0x33a6d280, connSize=2. (root)

 

Solution:

Downgrading to FortiClient version 6.0 made it possible to connect to the VPN successfully.
The root cause was the FortiClient license issue.

SSL VPN MAC Host Check Configuration does not work as expected in the following types of FortiClient:

  1. Free version of FortiClient 6.2 (Windows ,mac, Linux) does not support any type of host check.
    Use a lower version as a workaround.

  2. Mobile FortiClients (all versions of Android & Ios)

 

If FortiClient drops at 70-80% without any errors, follow the steps in this article.


Other possible reasons: 

  • Ensure tunnel mode is enabled on the SSL VPN portal.
  • It may feature an error such as 'Unable to log on to the server. The username or password may not be configured properly for this connection'.
  • Negotiation stops at this stage due to issues with user privileges.
  • If negotiation stops at this stage, check whether the username and password were entered correctly.
  • Check the user and user group. This issue often occurs if the user is not in the correct user group with VPN access.
  • The -14 error of around 80% could be because of a user/group mismatch between the SSL VPN authentication rules and the Firewall policy for SSL VPN. (Related article: Technical Tip: VPN Server may be unreachable (-14) ).
  • It is possible to have user and group configured, but it must be exactly the same in SSL VPN authentication rules and Firewall policy.
  • Verify that the user is also matching the correct portal.
  • Make sure the portal has tunnel mode enabled if trying to log in to VPN using FortiClient. 
  • This issue may occur if a corresponding policy for the users has not been configured.
  • Additionally, check whether the correct Realm is being used and if any are configured.
  • If a user tries to log in from the local/guest user make sure the 'Restrict to Specific OS Versions' is disabled.
  • Look for the host check/MAC address check/AV check is enabled.
  • Firmware Downgrade or Rollback of FortiGate may change the original SSL-VPN portal settings so double check if tunnel-mode or web-mode are enabled from the past configuration.

Related article:

Technical Tip: SSL VPN MAC host check does not work
Troubleshooting Tip: Possible reasons for FortiClient SSL VPN

9866
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.