FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sjoshi
Staff
Staff
Article Id 211965

Description

 

This article describes common causes of errors where the SSL VPN stops negotiating at specific percentages and offers solutions.

 

Scope

 

FortiOS.

 

Solution

 

The cause may vary depending on the percentage the negotiation stops at:

 

1) 10%

- The issue is usually due to network connection.
- Check whether the PC is able to access the internet and reach VPN server on necessary port.
- Check whether the correct remote Gateway and port are configured in FortiClient settings.
- Confirm whether the server certificate has been selected in FortiGate SSL VPN settings. 

 

2) 31%

- Negotiation stops at this percentage with error -5029. If this message appears, there is a mismatch in the TLS version. Check if the TLS version that’s in use by the FortiGate is enabled on your client. This KB article explains how to check the TLS version.

 

3) 40%

- This may occur when FortiClient generates a new pop-up window verifying whether the user wishes to proceed with a non-trusted TLS/SSL certificate.
- It may mean that there is a TLS version mismatch, which will also show as error -5029. If this message appears, there is a mismatch in the TLS version. Check if the TLS version that’s in use by the FortiGate is enabled on the client. This KB article explains how to check the TLS version.
- An application or the FortiGate may cause this error. Check the local machine and network setup.

 

4) 48%

- Negotiation stops at this percentage if there is an issue with two-factor authentication.

If negotiation stops at this percentage giving an error 'Credential or ssl vpn configuration is wrong (-7200)' recheck the credentials.

 

5) 80%

- Negotiation stops at this stage due to issues with user privileges.

- If negotiation stops at this stage, check whether the username and password were entered correctly.
- Check the user and user group. This issue often occurs if the user is not in the correct user group that has VPN access.
- If a user has a configured user group in the SSL VPN settings, always configure the user group in the firewall policy.
- This issue may occur if a corresponding policy for the users has not been configured.
- Additionally, check whether the correct Realm is being used if any are configured.

 

6) 98%

- Issues at this stage usually occurs due to a corrupted installation of FortiClient or due to OS problems.
- Reinstall the FortiClient software on the system.

- This may also occur when attempting to negotiate SSL VPN with the free version of FortiClient.

 

7) 14%
- The -14 error of around 80% could be because of a user/group mismatch between the SSL VPN authentication rules and the Firewall policy for SSL VPN.
- It is possible to have user and group configured but it must be exactly the same in SSL VPN authentication rules and Firewall policy.