Sometimes, end users may receive the below message randomly: 

This is due to the below option enabled in the FortiClient EMS endpoint profile:

The message prompt is due to the Certificate Revocation List (CRL) FQDN of the VPN gateway being somehow inaccessible during the VPN connection attempt. 

To check which CRL FQDN the SSL VPN gateway is using:

1. Enter the SSL VPN gateway in any web browser -> Select the padlock icon -> Select 'Certificate is Valid'.
                                                                                                  
2. Check the 'Issued by' section in the Certificate Viewer.
                                            
                                                
   

In this example, fortinet.com's SSL certificate is issued by DigiCert Inc.

3. Select Details, scroll down, and look for CRL Distribution Points, CRL FQDN will be shown here:

In case the CRL info is not there, or not valid, search online or go to the Certificate Authority's official website to look for CRL FQDN:
For DigiCert, there are a couple of CRL FQDN listed at https://knowledge.digicert.com/alerts/digicert-certificate-status-ip-address.

Checklist to do after knowing the CRL FQDN:

1. Ensure that the CRL FQDN is not blocked in the network environment or firewall on the end user's site.
2. If required, remove any Security Profiles applied to the Firewall Policy towards the CRL FQDN, such as Web Filter, Antivirus, and SSL inspection profile.