Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
btan
Staff & Editor
Staff & Editor

Created on ‎07-22-2025 02:07 AM Edited on ‎07-22-2025 05:05 PM

Article Id 402369

Troubleshooting Tip: VPN with Smart Card PKI authentication, FortiClient VPN progress failed at 40% and would not ask for PIN code

Description This article describes how to troubleshoot an issue whereby, while attempting a VPN connection with Smart Card PKI authentication, the FortiClient VPN progress failed at 40% and would not ask for the PIN code to proceed with the connection.
Scope FortiClient v7.2, and v7.4.
Solution

VPN setup:

  1. Follow this document: SSL VPN with certificate authentication and configure SSL VPN or IPsec VPN with certificate authentication.
  2. Follow this document SSL VPN and configure the VPN to 'Require Certificate'.

 

Note: In some cases, additional settings on FortiGate may be required, depending on the article Technical Tip: Upgrade to the latest MS Windows 10 version breaks the SSLVPN login using PKI with so...:

 

config vpn ssl settings
    set client-sigalgs no-rsa-pss
end

 

In a successful VPN scenario:

  1. Select the correct certificate for VPN connection, and FortiClient will prompt the user to enter the PIN code for the certificate.

 

july-kb3-suc1.png

 

  1. After inputting the correct PIN code, FortiClient will proceed with the VPN connection and connect successfully.

 

In a failure VPN scenario:

  1. Select the correct certificate for VPN connection, FortiClient pauses the progress at 40%.

 

july-kb3-fail1.png

 

  1. FortiClient did not prompt the user to enter the PIN code and dropped the VPN attempt abruptly.

 

july-kb3-fail2.png

 

When facing the above issue, follow the guidelines below to troubleshoot (applicable to both FortiClient VPN-only version and FortiClient full-version):

  1. Check the machine's Windows version, which can be checked by running a CMD command: winver.
    Windows 10 version 17134 (21H1) or older: Use FortiClient v7.2.11+.
    Windows 10 version 19044 (21H2) or newer: Use FortiClient v7.4.3+.
    Windows 11 version: Use FortiClient v7.4.3+.

  2. If the above has been verified but the issue still persists, open Registry Editor, go to HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\tunnelname.
  • Check if there is a dual_stack registry; by right, there should be none; if it exists, it should be set to 0.

 

july-kb3-4.png

 

  • In case the dual_stack registry exists and has been set to 1, manually edit it to 0.
  • If the FortiClient is managed by EMS, manually add/edit the parameter <dual_stack>0</dual_stack> in the endpoint profile.

 

july-kb3-3.png

 

  1. If the issue persists even after dual_stack is set to 0, add an async_mode registry (DWORD 32 bit) and set it to 1.

 

july-kb3-2.png

 

If the FortiClient is managed by EMS, manually add the parameter <async_mode>1</asycn_mode> in the endpoint profile.

 

july-kb3-1.png

 

After verifying all 3 steps above, the issue should be resolved.

 

Further reading about async_modeAsynchronous Operation.

 

399
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.