Troubleshooting Tip: If an error during 'SSL VPN+Certificate Authentication', the 'Enable Invalid Server Certificate Warning' can be beneficial

volkanavsar · ‎04-14-2025

Description

This article describes where enabling the 'Invalid Server Certificate Warning' is beneficial.

Scope

FortiClient, FortiClient EMS, SSL VPN, and FortiGate.

Solution

If SSL VPN authentication attempts are encountering a -7200 error while using FortiClient, and the SSL VPN Web Mode is functioning correctly, similar logs may be observed in FortiGate. This is usually due to a recently renewed SSL VPN certificate.

FG100 # [317:root:1...]allocSSLConn:310 sconn 0x7f7... (0:root)
[317:root:1...]SSL state:before SSL initialization
[317:root:1...]SSL state:fatal decode error
[317:root:1...]SSL state:error:(null)
[317:root:1...]SSL_accept failed, 1:unexpected eof while reading
[317:root:1...]Destroy sconn 0x7f7..., connSize=0. (root)
[462:root:1...]allocSSLConn:310 sconn 0x7f7... (0:root)
[462:root:1...]SSL state:before SSL initialization
[462:root:1...]SSL state:before SSL initialization
[462:root:1...]got SNI server name: vpn.domain.com realm (null)
[462:root:1...]client cert requirement: no

To resolve the issue, enable the 'Enable Invalid Server Certificate Warning' option by navigating to 'EMS -> Endpoint Profiles -> Remote Access -> Enable Invalid Server Certificate Warning'. After enabling this option, re-attempt the connection. FortiClient will prompt to trust the certificate authentication again, after which may proceed with the connection.

Troubleshooting Tip: If an error during 'SSL VPN+Certificate Authentication', the 'Enable Invalid Server Certificate Warning' can be beneficial

You are leaving our website