After upgrading FortiClient to versions 7.0.9, 7.2.x, or 7.4.x, when connecting to certificate-based authentication, SSL VP,N or IPsec VPN with Smart Card as Multifactor authentication (MFA), FortiClient does not prompt for MFA. This results in the VPN stopping at 40% and not being connected:

Checking in FortiClient Notification, it shows 'Permission denied. (-455)' error:

To resolve this, go to EMS -> Endpoint Profile -> Remote Access -> (select the profile) -> Edit -> XML view, add the configuration <async_mode>1</async_mode> in the VPN tunnel section, and save the profile.

Note: This solution is applicable for both SSL VPN and IPsec VPN tunnels.

Once the endpoint machine is synced with the profile, FortiClient will now prompt for Smart Card MFA PIN, and VPN can now be connected.