Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akumarr
Staff
Staff

Created on ‎05-11-2020 01:36 AM Edited on ‎02-11-2025 10:26 PM By Community Manager

Article Id 190478

Troubleshooting Tip: FortiClient TLS 'error 5029': failed to establish the VPN connection

Description


This article describes how to rectify the 'failed to establish the VPN connection', and '5029 error'.

 

Scope

 

FortiGate.

Solution


While connecting the FortiClient, the following error may appear.


  
This error happens because of the TLS mismatch. Go to Internet Explorer -> Settings -> Internet options -> Advanced, scroll down, and check the TLS version.
 
 
In the image above, only TLS 1.2 is selected on the client end while FortiGate does not support TLS 1.2. Check the output below. Verify the validity of the TLS settings configured on the FortiGate end as well as the TLS settings on the client end.
 
sh ful
config vpn ssl settings
    set reqclientcert disable
    set ssl-max-proto-ver tls1-1
    set ssl-min-proto-ver tls1-0
 
Select TLS 1.1 and TLS 1.0 on the client machine end or change the TLS version to 1.2 on the FortiGate end. Change the settings on the client machine end. As soon as settings are changed, connecting the FortiClient will be possible.
  

 

SSLVPN Associated Interface: 
When SSL VPN is listening on multiple interfaces, ensure the User/Group is mapped to the required interfaces:


config vpn ssl settings
     config authentication-rule
         edit 1
             set source-interface "port7"
             set source-address "US"
             set users "sslsplit"
             set portal "tunnel-access"
             next
         edit 2
             set source-interface "port8"
             set source-address "US"
             set groups "ZTNA_Machine_Auth"
             set portal "full-access"
             next
end


In this example, the user 'sslsplit' will fail to connect to the portal 'tunnel-access' if attempting to connect via the second interface port8 as there is no mapping for port8 for this user.

 

Server Certificate:

If all steps have been followed by and still getting the same error to connect, make sure to check the server certificate is set and not empty. This can be verified under SSL-VPN Setting -> Server.

 

Certificate: change it accordingly.

 

alwis_1-1659194482348.png

 

After the certificate has been set, it will be possible to connect to SSL-VPN.

 

Another possible reason for this error, if the above steps did not help, is if FortiGate uses a self-signed certificate as an SSL VPN server certificate and there is another firewall in between which performs certificate inspection.

 

                                                                        image1.PNG

 

In the following packet capture, the client sent an alert (Level: Fatal, Description: Illegal Parameter) after the 'Certificate, Server key Exchange, Server Hello Done'.

                                                                              image2.PNG 

The solution is to either: 

  1. Disable certificate inspection on intermediary firewall/s.
  2. Use a trusted certificate signed by a public certificate authority for the SSL VPN server certificate on the FortiGate.
221948
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.