Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
wcruvinel
Staff
Staff

Created on ‎12-23-2024 02:09 AM Edited on ‎01-15-2025 09:26 PM By Community Manager

Article Id 366166

Technical Tip: VPN Autoconnect for Entra ID Users Fails After Upgrading to FortiOS v7.6.1

Description

This article describes an issue where the FortiClient users encounter the error 'Credential or SSLVPN configuration is wrong. (-7200)'. This occurs after upgrading FortiOS to v7.6.1 and only affects remote FortiClient users who utilize the auto-connect feature to automatically connect to the VPN using Microsoft Entra ID credentials.
Scope

FortiGate v7.6.1
Solution

After upgrading to v7.6.1, the auto-connect feature enabled for Entra ID users fails to function as expected, resulting in the error 'Credential or SSLVPN configuration is wrong. (-7200)':

 

The following logs are seen in the debug outputs:

 

[281:root:6d]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[281:root:6d]req: /remote/info
[281:root:6d]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[281:root:6d]capability flags: 0x3cdf
[281:root:6d]req: /remote/saml/autoauth?type=azure
[281:root:6d]Content-Length n/a
[281:root:6d]Content-Length n/a
[282:root:6d]allocSSLConn:314 sconn 0x7f97856000 (0:root)
[282:root:6d]SSL state:before SSL initialization (10.10.10.10)
[282:root:6d]SSL state:fatal decode error (10.10.10.10)
[282:root:6d]SSL state:error:(null)(10.10.10.10)
[282:root:6d]SSL_accept failed, 1:unexpected eof while reading
[282:root:6d]Destroy sconn 0x7f97856000, connSize=0. (root)
[281:root:6d]SSL state:fatal decode error (10.10.10.10)

 

This issue has been resolved in FortiOS v7.6.3 (scheduled to be released in March 2025).These timelines for firmware release are estimates and may be subject to change.

 

Workarounds:

  1. Disable Azure Auto Login in FortiClient EMS:

    • Open the EMS profile.

    • Navigate to the Azure Auto Login settings.

    • Uncheck 'Enable Azure Auto Login'.

  2. Switch to External Browser Authentication:

    • Update the FortiClient configuration to use the external browser for Entra ID SSO authentication instead of Auto Login.

General debug information required by FortiGate TAC for investigation:

  1. Modify the log level to 'Debug' on FortiClient.
  2. Debugs on FortiGate:


diagnose debug application fnbamd -1
diagnose debug application sslvpn -1
diagnose debug application samld -1
diagnose debug console timestamp enable
diagnose debug enable
<reproduce the issue>
diagnose debug reset

 

  1. TAC Report:


execute tac report

 

  1. Configuration file of the FortiGate.
  2. Export the FortiClient logs as outlined in the article: Technical Tip: How to enable debug log in FortiClient and export the logs 
343
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.