FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hbac
Staff
Staff
Article Id 248363
Description

This article describes how to solve an issue when users are not able to connect to the SSL VPN using FortiClient. When trying to connect, it is stuck at 98%. 

Scope FortiClient.
Solution

hbac_0-1678291291276.png

 

  • SSL VPN debugs on the FortiGate do not show any errors.

  • FortiClient logs show the following errors:

 

user=test@fortinet msg="SSLVPN tunnel connection failed" vpnstate= vpntunnel=fortinet vpnuser=test remotegw=vpn.fortinet.com

2/23/2023 11:22:36 AM         info      sslvpn  FortiSslvpn: 13576: fortissl_connect: device=ftvnic

2/23/2023 11:22:36 AM         error    sslvpn  FortiSslvpn: 15344: RasGetEntryPropertiesWin7(fortissl) failed. (r=623)

2/23/2023 11:22:36 AM         error    sslvpn  FortiSslvpn: 15344: error: ssl_connect:-3

2/23/2023 11:22:36 AM         error    sslvpn  FortiSslvpn: 15344: tunnel_to_fgt error

2/23/2023 11:22:38 AM         error    sslvpn  FortiSslvpn: 14544: error: ras_loop(), waitResult=1.

 

This issue usually occurs due to IPv6 conflicts when the VPN remote gateway FQDN resolves to IPv4 and IPv6 or if the SSL VPN virtual adapter was not properly installed on the endpoint.

 

  1. IPV6 conflicts when VPN remote gateway FQDN resolves to both IPv4 and IPv6:

 

There are 3 possible workarounds to resolve this issue: 

 

  1. Disable IPv6 on the network adapter: 

 

Control Panel -> Network and Internet -> Network and Sharing Center -> Select the Network Adapter -> Properties -> Uncheck Internet Protocol Version 6 (TCP/IPv6).

 

dhamadi_0-1730297013074.png

 

  1. Create a registry key to prefer IPv4 over IPv6:

     

    Location: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters

    Key: DisabledComponents

    Type: REG_DWORD

    Value: 0x20

     

    dhamadi_1-1730297013005.png

      

    After creating the registry, the PC needs to be rebooted.

     

     

  2. Enable the option 'Resolve to IPV4 only' on XML configuration on the Remote Access profile. This option is available for FortiClient 7.2.5.

     

 

<resolve_to_ipv4_only>1</resolve_to_ipv4_only>

 

resolve_to_ipv4_only: If an FQDN is used for the VPN gateway that can be resolved to IPv4 and IPv6, but only IPv4 functions, FortiClient resolves the FQDN via the IPv4 address.

 

This modification is applied from the EMS:

EMS -> Endpoint Profiles -> Remote Access -> Select and Edit the profile -> XML -> Edit -> Apply Configuration -> Save.

 

dhamadi_2-1730297012678.png

 

Reference Document: XML Reference Guide 

 

  1. SSL VPN virtual adapter not properly installed on the PC:

     

    dhamadi_3-1730297149774.png

     

    • The virtual adapter shows disabled while there is no SSL VPN connection established.
    • After a connection is established, it will show enabled. 
    • If the adapter is not showing at all, when the user tries to connect to the VPN, the authentication process will complete but the connection will stop at 98%.
    • There are AD security policies that can block the upgrade or installation of the virtual adapter drivers. This can be confirmed by checking the registry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions

     

    • If the restriction exists, it must be removed to allow the upgrade or installation of the FortiClient virtual adapter driver.

     

Related document: 

Prevent Device Installations - Client Management/MDM policies 

Comments
Umer221
Staff
Staff

Thank you for writing this article. It is helpful resolving issues where IPv6 is enabled specifically on Windows 11 host.