Description

This article describes that it is possible to encounter this problem when using an Android device connecting to the SSL VPN with two-factor authentication. The connection attempts will fail before getting the two-factor code.

Scope

FortiGate SSL VPN with Android clients.

Solution

On Forticlient logs, the error message will appear : SSLCONNFAILED.

When checking the SSL VPN debug on FortiGate, the following example logs will be displayed :

2022-11-10 15:45:05 [284:root:452c]SSL state:fatal internal error (x.x.x.x)
2022-11-10 15:45:05 [284:root:452c]SSL state:error:(null)(x.x.x.x)
2022-11-10 15:45:05 [284:root:452c]SSL_accept failed, 1:EVP lib
2022-11-10 15:45:05 [284:root:452c]Destroy sconn 0x7f77f21f00, connSize=12. (root)

As a workaround, it is possible to disable the two-factor authentication.
Alternatively, disabling the SSL VPN acceleration should solve the issue.

# config system global
    set sslvpn-kxp-hardware-acceleration disable
    set sslvpn-cipher-hardware-acceleration disable
end

The hardware acceleration on SSL VPN is removed from FOS 7.2 onwards so it is not expected to happen on version 7.2 onwards.

Related documents:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-and-two-factor-expiry-timers...

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/490351/ssl-vpn-authentication