FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
MigenaM
Staff
Staff
Article Id 296945
Description This article describes how to handle cases where the Client Certificate SSL VPN authentication fails with error 'Unable to establish the VPN connection. The VPN server may be unreachable, or your identity certificate is not trusted. (-5)'.
Scope FortiGate, SSL VPN, Client Certificate Authentication, Virtual Patching.
Solution

There are different scenarios when SSL-VPN authentication via FortiClient might fail, and the case below explains the scenario when the connection stops at 48% with the error message 'Unable to establish the VPN connection. The VPN server may be unreachable, or your identity certificate is not trusted. (-5)'.

In this case, the client certificate is used to authenticate, and not the default SSL VPN certificate.

 

By executing the debug commands for this connection, the logs will look as follows for this case:

 

TLS handshake #1 stopped by FortiClient, no certificate sent:

 

2024-01-29 15:37:22 [298:root:d2e1]allocSSLConn:310 sconn 0x7f6d7e19d800 (0:root)

2024-01-29 15:37:22 [298:root:d2e1]SSL state:before SSL initialization (test user's IP)

2024-01-29 15:37:22 [298:root:d2e1]SSL state:fatal decode error (test user's IP)

2024-01-29 15:37:22 [298:root:d2e1]SSL state:error:(null)(test user's IP)

2024-01-29 15:37:22 [298:root:d2e1]SSL_accept failed, 1:unexpected eof while reading

2024-01-29 15:37:22 [298:root:d2e1]Destroy sconn 0x7f6d7e19d800, connSize=1. (root)

(ends with a

Alert Message

    Level: Fatal (2)

    Description: Decode Error (50)

               

 

TLS handshake #2 stopped by FortiGate after the client certificate is sent:

 

2024-01-29 15:37:23 [299:root:d2e2]allocSSLConn:310 sconn 0x7f6d7f254800 (0:root)

2024-01-29 15:37:23 [299:root:d2e2]SSL state:before SSL initialization (test user's IP)

2024-01-29 15:37:23 [299:root:d2e2]SSL state:before SSL initialization (test user's IP)

2024-01-29 15:37:23 [299:root:d2e2]got SNI server name: remoteaccess.domain.com realm (null)

2024-01-29 15:37:23 [299:root:d2e2]client cert requirement: yes

2024-01-29 15:37:23 [299:root:d2e2]SSL state:SSLv3/TLS read client hello (test user's IP)

2024-01-29 15:37:23 [299:root:d2e2]SSL state:SSLv3/TLS write server hello (test user's IP)

....

2024-01-29 15:37:23 [299:root:d2e2]SSL state:SSLv3/TLS write server done:(null)(test user's IP)

2024-01-29 15:37:23 [299:root:d2e2]SSL state:fatal decode error (test user's IP)

2024-01-29 15:37:23 [299:root:d2e2]SSL state:error:(null)(test user's IP)

2024-01-29 15:37:23 [299:root:d2e2]SSL_accept failed, 1:unexpected eof while reading

2024-01-29 15:37:23 [299:root:d2e2]Destroy sconn 0x7f6d7f254800, connSize=0. (root)

(ends with a

Alert Message

    Level: Fatal (2)

    Description: Decrypt Error (51)             

               

 

TLS handshake #3 passed, but the client sends the certificate packet with an empty certificate:

 

2024-01-29 15:37:23 [300:root:d2e7]allocSSLConn:310 sconn 0x7f6d7e19d000 (0:root)

2024-01-29 15:37:23 [300:root:d2e7]SSL state:before SSL initialization (test user's IP)

2024-01-29 15:37:23 [300:root:d2e7]SSL state:before SSL initialization (test user's IP)

2024-01-29 15:37:23 [300:root:d2e7]got SNI server name: remoteaccess.domain.com realm (null)

2024-01-29 15:37:23 [300:root:d2e7]client cert requirement: yes

2024-01-29 15:37:23 [300:root:d2e7]SSL state:SSLv3/TLS read client hello (test user's IP)

2024-01-29 15:37:23 [300:root:d2e7]SSL state:SSLv3/TLS write server hello (test user's IP)

2024-01-29 15:37:23 [300:root:d2e7]SSL state:SSLv3/TLS write certificate (test user's IP)

....

2024-01-29 15:37:23 [300:root:d2e7]SSL state:SSLv3/TLS read client key exchange (test user's IP)

2024-01-29 15:37:23 [300:root:d2e7]SSL state:fatal decrypt error (test user's IP)

2024-01-29 15:37:23 [300:root:d2e7]SSL state:error:(null)(test user's IP)

2024-01-29 15:37:23 [300:root:d2e7]SSL_accept failed, 1:bad signature

2024-01-29 15:37:23 [300:root:d2e7]Destroy sconn 0x7f6d7e19d000, connSize=0. (root)

2024-01-29 15:37:23 [301:root:d2e7]allocSSLConn:310 sconn 0x7f6d7e180000 (0:root)

2024-01-29 15:37:23 [301:root:d2e7]SSL state:before SSL initialization (test user's IP)

2024-01-29 15:37:23 [301:root:d2e7]SSL state:before SSL initialization (test user's IP)

2024-01-29 15:37:23 [301:root:d2e7]got SNI server name: remoteaccess.domain.com realm (null)

2024-01-29 15:37:23 [301:root:d2e7]client cert requirement: yes

2024-01-29 15:37:23 [301:root:d2e7]SSL state:SSLv3/TLS read client hello (test user's IP)

2024-01-29 15:37:23 [301:root:d2e7]SSL state:SSLv3/TLS write server hello (test user's IP)

....

2024-01-29 15:37:23 [301:root:d2e7]SSL state:SSLv3/TLS write finished (test user's IP)

2024-01-29 15:37:23 [301:root:d2e7]SSL state:SSL negotiation finished successfully (test user's IP)

2024-01-29 15:37:23 [301:root:d2e7]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384

2024-01-29 15:37:23 [301:root:d2e7]No client certificate

 

 

The issue in this case is triggered when virtual-patching is enabled under local-in-policy on SoC devices:

 

config firewall local-in-policy

edit 1

set virtual-patch enable

next

end

 

To mitigate the issue, the virtual-patch option must be disabled under local-in-policy configured on the firewall.

For more information on the virtual-patching option, see the documentation:

 

 

Note:
This article also relates to cases where the SSL VPN connection fails at 40% -> goes back to 0% and then gets back again stuck at 40%. In some cases, no error message is seen at all in the FortiClient. The root cause is having "set virtual-patch enable" on a local-in policy that overlaps with the port of SSL VPN with certificate authentication.