This article describes how to solve an issue when users are not able to connect to the SSL VPN using FortiClient. When trying to connect, it is stuck at 98%. 

• SSL VPN debugs on the FortiGate do not show any errors.
  
  
• FortiClient logs show the following errors:

user=test@fortinet msg="SSLVPN tunnel connection failed" vpnstate= vpntunnel=fortinet vpnuser=test remotegw=vpn.fortinet.com

2/23/2023 11:22:36 AM         info      sslvpn  FortiSslvpn: 13576: fortissl_connect: device=ftvnic

2/23/2023 11:22:36 AM         error    sslvpn  FortiSslvpn: 15344: RasGetEntryPropertiesWin7(fortissl) failed. (r=623)

2/23/2023 11:22:36 AM         error    sslvpn  FortiSslvpn: 15344: error: ssl_connect:-3

2/23/2023 11:22:36 AM         error    sslvpn  FortiSslvpn: 15344: tunnel_to_fgt error

2/23/2023 11:22:38 AM         error    sslvpn  FortiSslvpn: 14544: error: ras_loop(), waitResult=1.

This issue usually occurs due to IPv6 conflicts when the VPN remote gateway FQDN resolves to IPv4 and IPv6 or if the SSL VPN virtual adapter was not properly installed on the endpoint.

1. IPV6 conflicts when VPN remote gateway FQDN resolves to both IPv4 and IPv6:

There are 3 possible workarounds to resolve this issue: 

Disable IPv6 under the network adapter:  Control Panel -> Network and Internet -> Network and Sharing Center -> Select the Network Adapter -> Properties -> Uncheck Internet Protocol Version 6 (TCP/IPv6).

2. Create a registry key to prefer IPv4 over IPv6:

    

Press Windows Key + R: This key combination opens the Run dialog box. Type 'regedit'  in the Run dialog box and press Enter.

Navigate to the path as mentioned below:

Location: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters

'Right-click' on the Right Pane and select New -> DWORD (32-bit) Value as mentioned in the image below:

Fill in the details as shown below and select OK to save it

Key: DisabledComponents

Type: REG_DWORD

Value: 0x20

After creating the registry, the PC needs to be rebooted.

3. Enable the option 'Resolve to IPV4 only' in the XML configuration on the Remote Access profile. This option is available for FortiClient v7.2.5.

<resolve_to_ipv4_only>1</resolve_to_ipv4_only>

resolve_to_ipv4_only: If an FQDN is used for the VPN gateway that can be resolved to IPv4 and IPv6, but only IPv4 functions, FortiClient resolves the FQDN via the IPv4 address.

This modification is applied from the EMS under EMS -> Endpoint Profiles -> Remote Access -> Select and Edit the profile -> XML -> Edit -> Apply Configuration -> Save.

See the XML Reference Guide.

SSL VPN virtual adapter not properly installed on the PC:

• The virtual adapter shows disabled while there is no SSL VPN connection established.
• After a connection is established, it will show as enabled. 
• If the adapter is not showing at all: when the user tries to connect to the VPN, the authentication process will complete but the connection will stop at 98%.
• There are AD security policies that can block the upgrade or installation of the virtual adapter drivers. This can be confirmed by checking the registry:
  
  

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions

• If the restriction exists, it must be removed to allow the upgrade or installation of the FortiClient virtual adapter driver.

Restart the sslvpnd process using the fnsysctl command:

fnsysctl killall sslvpnd

Related documents:

Prevent Device Installations - Client Management/MDM policies 

Configure IPv6 for advanced users - Windows Server | Microsoft Learn