Troubleshooting Tip: SSL VPN fails at 98%

This article describes how to solve an issue when users are not able to connect to the SSL VPN using FortiClient. When trying to connect, it is stuck at 98%. 

• SSL VPN debugs on the FortiGate do not show any errors.
  
  
• FortiClient logs show the following errors:

user=test@fortinet msg="SSLVPN tunnel connection failed" vpnstate= vpntunnel=fortinet vpnuser=test remotegw=vpn.fortinet.com

2/23/2023 11:22:36 AM         info      sslvpn  FortiSslvpn: 13576: fortissl_connect: device=ftvnic

2/23/2023 11:22:36 AM         error    sslvpn  FortiSslvpn: 15344: RasGetEntryPropertiesWin7(fortissl) failed. (r=623)

2/23/2023 11:22:36 AM         error    sslvpn  FortiSslvpn: 15344: error: ssl_connect:-3

2/23/2023 11:22:36 AM         error    sslvpn  FortiSslvpn: 15344: tunnel_to_fgt error

2/23/2023 11:22:38 AM         error    sslvpn  FortiSslvpn: 14544: error: ras_loop(), waitResult=1.

This issue usually occurs due to IPv6 conflicts when the VPN remote gateway FQDN resolves to IPv4 and IPv6 or if the SSL VPN virtual adapter was not properly installed on the endpoint.

1. IPV6 conflicts when VPN remote gateway FQDN resolves to both IPv4 and IPv6:

There are 3 possible workarounds to resolve this issue: 

1. Disable IPv6 on the network adapter: 

Control Panel -> Network and Internet -> Network and Sharing Center -> Select the Network Adapter -> Properties -> Uncheck Internet Protocol Version 6 (TCP/IPv6).

2. Create a registry key to prefer IPv4 over IPv6:

    

   Location: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters

   Key: DisabledComponents

   Type: REG_DWORD

   Value: 0x20

    

   

     

   After creating the registry, the PC needs to be rebooted.

    

    

3. Enable the option 'Resolve to IPV4 only' on XML configuration on the Remote Access profile. This option is available for FortiClient 7.2.5.

    

<resolve_to_ipv4_only>1</resolve_to_ipv4_only>

resolve_to_ipv4_only: If an FQDN is used for the VPN gateway that can be resolved to IPv4 and IPv6, but only IPv4 functions, FortiClient resolves the FQDN via the IPv4 address.

This modification is applied from the EMS:

EMS -> Endpoint Profiles -> Remote Access -> Select and Edit the profile -> XML -> Edit -> Apply Configuration -> Save.

Reference Document: XML Reference Guide 

2. SSL VPN virtual adapter not properly installed on the PC:

    

   

    

   • The virtual adapter shows disabled while there is no SSL VPN connection established.
   • After a connection is established, it will show enabled. 
   • If the adapter is not showing at all, when the user tries to connect to the VPN, the authentication process will complete but the connection will stop at 98%.
   • There are AD security policies that can block the upgrade or installation of the virtual adapter drivers. This can be confirmed by checking the registry:
     
     

   HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions

    

   • If the restriction exists, it must be removed to allow the upgrade or installation of the FortiClient virtual adapter driver.

    

Related document: 

Prevent Device Installations - Client Management/MDM policies