FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 198710


This article provides the solution when the error 'The server you want to connect to requests identification. choose a certificate and try again (-5)' is received in FortiClient trying to connect to the SSL VPN.






This error can occur for the following reasons:


  1. The most common cause for this problem is because the user does not have read access to the certificate's private key. If the user cannot read the private key then it cannot present it to the FortiGate for authentication purposes, and FortiClient therefore gives an error stating has not been chosen a certificate (even though one shows as selected). The solution in this case is to ensure that the user can read the certificate's private key as follows:
  • Open MMC to where the certificate is stored. For computer certificates, for example: MMC > File > Add/Remove Snap-in -> Certificates -> Add -> Computer account -> Ok.
  • Navigate to Certificates -> Personal -> Certificates.
  • 'Right-click' on the certificate in question and select All Tasks -> Manage Private Keys.
  • Ensure the user who is logged in has read access to the private key, and add them to the list if they are missing:




  1. Another cause is that the default settings for encryption have changed in FortiOS v5.4 and later.
  • On the FortiClient (Windows) workstation, go to Internet Explorer -> Options -> Advanced and  enable 'TLS 1.1' and 'TLS 1.2'
  •  Change the TLS settings according to the settings on the FortiGate as well.


  1.  Windows Update KB5018410 affect some types of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) connections and causes handshake failures.

Microsoft has released both standalone packages and cumulative updates to fix this issue:

Cumulative updates:

  • Windows 11, version 21H2: KB5020387.
  • Windows Server 2022: KB5020436.
  • Windows 10, version 20H2; Windows 10, version 21H1; Windows 10, version 22H1; Windows 10 Enterprise LTSC 2021: KB5020435.
  • Windows 10 Enterprise LTSC 2019; Windows Server 2019: KB5020438.
  • Windows 10 2016 LTSB; Windows Server 2016: KB5020439.
  • Windows 10 2015 LTSB; KB5020440.

Standalone Updates:

  • Windows 8.1; Windows Server 2012 R2: KB5020447.
  • Windows Server 2012: KB5020449.
  • Windows 7 SP1; Windows Server 2008 R2 SP1: KB5020448.

The updates cannot be deployed via Windows Update.
Download from the Microsoft Update Catalog and install it manually or import it into WSUS and Microsoft Endpoint Configuration Manager.


  1.  User will get the same error If the client certificate with .cert format has been enabled on FortiClinet instead of the Client certificate with .p12 extension 

In sniffer, a Fatal error 'TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Decode Error)' is seen.




In debugging output the error is seen:


Spoke1 # di de disable
Spoke1 # di de reset
Spoke1 # di de app sslvpn  -1
Debug messages will be on for 30 minutes.
Spoke1 # di de app fnbamd  -1
Debug messages will be on for 30 minutes.
Spoke1 # di de enable


[278:root:a]allocSSLConn:310 sconn 0x33f7cc00 (0:root)
[278:root:a]SSL state:before SSL initialization (
[278:root:a]SSL state:before SSL initialization (
[278:root:a]no SNI received
[278:root:a]client cert requirement: yes
[278:root:a]SSL state:SSLv3/TLS read client hello (
[278:root:a]SSL state:SSLv3/TLS write server hello (
[278:root:a]SSL state:SSLv3/TLS write certificate (
[278:root:a]SSL state:SSLv3/TLS write key exchange (
[278:root:a]SSL state:SSLv3/TLS write certificate request (
[278:root:a]SSL state:SSLv3/TLS write server done (
[278:root:a]SSL state:SSLv3/TLS write server done:(null)(
[278:root:a]SSL state:fatal decode error (
[278:root:a]SSL state:error:(null)(
[278:root:a]SSL_accept failed, 1:unexpected eof while reading
[278:root:a]Destroy sconn 0x33f7cc00, connSize=0. (root)


  • Import the Client Certificate with .p12 extension
  1. Import the Client Certificate with .p12 extension on user PC under certmgr.msc > Personal > Certificates > All Tasks > Import > Current User > Next > - select the Cert with .p12: Certificate password -> Next -> Finish.
  2.  Then open MMC > File > Add/Remove Snap-in: Certificates -> Add -> Computer account -> Ok.


Related article:

Technical Note: Error 'Unable to establish the VPN connection. The VPN server may be unreachable. (-...