Troubleshooting Tip: FortiClient error 'Credentials or SSLVPN configuration is wrong. (-7200)'

dbhavsar · ‎11-01-2024

Description

This article describes how to resolve a scenario where FortiClient displays the error 'Credentials or SSLVPN configuration is wrong. (-7200)' even though the configuration is correct.

Scope

FortiGate.

Solution

Firstly, verify the configuration and make sure the gateway is reachable and that any FQDN being used resolves to the correct IP address.

FortiClient may show an error like in the following screenshot example:

Run the following debug commands on FortiGate:

diagnose debug reset
diagnose vpn ssl debug-filter src-addr4 <user-public-ip>
diagnose debug application fnbamd 1
diagnose debug application sslvpn -1
diagnose debug console timestamp enable
diagnose debug enable

Error observed in debugs:

[2564:root:3b]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[2564:root:3b]rmt_web_auth_info_parser_common:533 no session id in auth info
[2564:root:3b]rmt_web_access_check:804 access failed, uri=[/remote/logincheck],ret=4103,
[2564:root:3b]fsv_logincheck_common_handler:1356 sslvpn is in conserve mode or the ssl. interface is down.
[2564:root:3b]sslConnGotoNextState:318 error (last state: 1, closeOp: 0)
[2564:root:3b]Destroy sconn 0x7fc8ed441800, connSize=0. (root)
[2564:root:3b]SSL state:warning close notify (192.168.30.2)

After that verify if the device is not in conserve mode using following command:

diagnose hardware sysinfo conserve

If the device is not in conserve mode, the next item to check is the ssl.root interface by using the following commands:

config system interface

edit ssl.root

show full | grep status
set status up

Once the changes have been made, the user should be able to connect.