This article describes how to solve an issue when users are not able to connect to the SSL VPN using FortiClient. When trying to connect, it is stuck at 98%. 

• SSL VPN debugs on the FortiGate do not show any errors.
• FortiClient logs show the following errors:

user=test@fortinet msg="SSLVPN tunnel connection failed" vpnstate= vpntunnel=fortinet vpnuser=test remotegw=vpn.fortinet.com

2/23/2023 11:22:36 AM         info      sslvpn  FortiSslvpn: 13576: fortissl_connect: device=ftvnic

2/23/2023 11:22:36 AM         error    sslvpn  FortiSslvpn: 15344: RasGetEntryPropertiesWin7(fortissl) failed. (r=623)

2/23/2023 11:22:36 AM         error    sslvpn  FortiSslvpn: 15344: error: ssl_connect:-3

2/23/2023 11:22:36 AM         error    sslvpn  FortiSslvpn: 15344: tunnel_to_fgt error

2/23/2023 11:22:38 AM         error    sslvpn  FortiSslvpn: 14544: error: ras_loop(), waitResult=1.

This issue usually occurs due to IPv6 conflicts when the VPN remote gateway FQDN resolves to IPv4 and IPv6, or if the SSL VPN virtual adapter was not properly installed on the endpoint.

1. IPV6 conflicts when the VPN remote gateway FQDN resolves to both IPv4 and IPv6:

There are 3 possible workarounds to resolve this issue: 

Disable IPv6 under the network adapter: Control Panel -> Network and Internet -> Network and Sharing Center -> Select the Network Adapter -> Properties -> Uncheck Internet Protocol Version 6 (TCP/IPv6).

2. Create a registry key to prefer IPv4 over IPv6:

Press Windows Key + R: This key combination opens the Run dialog box. Type 'regedit'  in the Run dialog box and press Enter.

Navigate to the path as mentioned below:

Location: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters

'Right-click' on the Right Pane and select New -> DWORD (32-bit) Value as mentioned in the image below:

Fill in the details as shown below and select OK to save them:

Key: DisabledComponents

Type: REG_DWORD

Value: 0x20

After creating the registry, the PC needs to be rebooted.

3. Enable the option 'Resolve to IPV4 only' in the XML configuration on the Remote Access profile. This option is available for FortiClient v7.2.5.

<resolve_to_ipv4_only>1</resolve_to_ipv4_only>

resolve_to_ipv4_only: If an FQDN is used for the VPN gateway that can be resolved to IPv4 and IPv6, but only IPv4 functions, FortiClient resolves the FQDN via the IPv4 address.

This modification is applied from the EMS under EMS -> Endpoint Profiles -> Remote Access -> Select and Edit the profile -> XML -> Edit -> Apply Configuration -> Save.

See the XML Reference Guide.

SSL VPN virtual adapter not properly installed on the PC:

• The virtual adapter shows disabled while there is no SSL VPN connection established.
• After a connection is established, it will show as enabled. 
• If the adapter is not showing at all, when the user tries to connect to the VPN, the authentication process will complete, but the connection will stop at 98%.
• There are AD security policies that can block the upgrade or installation of the virtual adapter drivers. This can be confirmed by checking the registry:
  
  

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions

• If the restriction exists, it must be removed to allow the upgrade or installation of the FortiClient virtual adapter driver.

Restart the sslvpnd process using the fnsysctl command:

fnsysctl killall sslvpnd

Make sure there is no local proxy configured that might cause conflict:

• Go to Start -> search Internet Options -> Connections -> LAN Settings
• Uncheck 'Automatically detect settings' and 'Use a proxy server for LAN'.

• Select OK, Apply, and OK again to save the configuration.

Make sure that the 'Users' folder in C Drive is not hidden:

FortiClient drivers will require access to the User's folder. If the User's folder is somehow hidden, FortiClient drivers cannot locate it, which will cause VPN 98% issue.

• Go to C:\Users, check if the user's folder is showing up here.
• If not, select View -> Show -> Hidden items
• If the user's folder is showing up as a fading folder now, 'right-click' and select Properties.
• Make sure to untick 'Hidden', select Apply, and OK.

Check if there is a known problematic Windows Update KB installed on the PC (KB5013942, KB5018410, KB2693643):

• The above Windows Updates KB are known to cause issues with FortiClient.
• To check this, open the command prompt and run the command: wmic qfe list
• If there are KB5013942, KB5018410, and KB2693643 listed here, uninstall the KB following the Microsoft guide. 
• Sometimes it is also possible to uninstall KB via the Control Panel.

For other possible reasons for error, depending on its percentage, refer to this article:
Troubleshooting Tip: Possible reasons for FortiClient SSL VPN connectivity failure at specific perce...

Related documents:

Prevent Device Installations - Client Management/MDM policies 

Configure IPv6 for advanced users - Windows Server | Microsoft Learn