Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
Adryan_you
Staff
Staff

Created on ‎09-18-2023 01:36 AM Edited on ‎06-22-2025 01:24 PM By Moderator

Article Id 274174

Troubleshooting Tip: Windows 10/11 unable to connect to the SSL VPN using TLS 1.3 via FortiClient

Description This article describes how to solve the issue where Windows 10/11 is unable to connect to the SSL VPN using TLS 1.3 via Forticlient, although TLS 1.3 has been enabled in the Internet browser properties.
Scope FortiClient, Windows 10/11.
Solution

FortiGate SSL VPN supports TLS 1.3. To connect to FortiGate SSL VPN using TLS 1.3, it is necessary to enable TLS 1.3 in Windows 10/11. Normally, it is possible to enable it via the Internet browser properties:

  • In a Windows computer, start the Run prompt (Win + R) and type 'inetcpl.cpl', then press the Enter key. 
  • The Internet Properties window will be opened. Go to the Advanced section.
  • Under the security section, check the box TLS 1.3.
  • Apply the changes and restart the browser.

 

window-1.png

 

If the FortiClient still fails to connect to FortiGate SSL VPN using TLS 1.3 (Webmode is working fine), then it is necessary to check and edit the computer registry.

 

window-2.png

 

First, collect the FortiGate SSL VPN debug. From the debug, it is possible to see that FortiClient is not able to initiate an SSL connection using TLS 1.3:

 

diagnose debug disable

diagnose debug reset

diagnose debug application sslvpn -1

diagnose debug enable

 

FortiGate SSL VPN Debug Output:

 

// Forticlient failed to connect //
[19293:root:2fc]allocSSLConn:307 sconn 0x7f0946f57a00 (0:root)
[19293:root:2fc]SSL state:before SSL initialization (10.47.4.151)
[19293:root:2fc]SSL state:before SSL initialization:DH lib(10.47.4.151)
[19293:root:2fc]SSL_accept failed, 5:(null)
[19293:root:2fc]Destroy sconn 0x7f0946f57a00, connSize=0. (root)

 

// Webmode can access using TLS 1.3 //
[19293:root:302]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384 <<===
[19293:root:302]No client certificate
[19293:root:302]req: /remote/login
[19293:root:302]rmt_web_auth_info_parser_common:492 no session id in auth info
[19293:root:302]rmt_web_get_access_cache:841 invalid cache, ret=4103
[19293:root:302]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.81 <<====

 

Next, check and edit the computer registry to enable TLS 1.3:

  • Go to \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.
  • If 'TLS 1.3' is not displaying as a child path under 'Protocols', create it. 'Right-click' 'Protocols', create 'new key', and name it 'TLS 1.3'.

    create-new-key-registry.png

 

  • Then create another new key under 'TLS 1.3', and name it 'Client'.
  • In the 'Client' section, create 2 DWORD (32-bit) values, name them 'DisabledByDefault' and 'Enabled' with a default value of 0.

    create-dword.png

 

  • For 'Enabled', change the value to '1'.

    dword-value-1.png

 

  • Final Look at the registry:

    final-look.png

 

  • Apply the changes and close the registry editor window.
  • Restart the computer.

 

After restarting the computer, the FortiClient can connect to the FortiGate SSL VPN using TLS 1.3. SSL VPN debug on FortiGate:

 

[19293:root:31d]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384 <-
[19293:root:31d]req: /remote/login
[19293:root:31d]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}]) <-

[19293:root:31d]sslvpn_authenticate_user:183 authenticate user: [local] <-
[19293:root:31d][fam_auth_send_req_internal:652] The user local is authenticated.
[19293:root:31d]fam_do_cb:665 fnbamd return auth success.

 

connect-success.png
25357
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.