Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lgupta
Staff
Staff

Created on ‎12-26-2022 11:44 PM

Article Id 241021

Troubleshooting Tip: SSL VPN Debugs Error = SSL_accept failed, 1:unsupported protocol

Description

 

This article describes the SSL VPN debugs Error = SSL_accept failed, 1:unsupported protocol.

 

Scope

 

All FortiOS.

 

Solution

 

SSL VPN configuration (using default):

 

FortiGate-KVM # config vpn ssl settings

FortiGate-KVM (settings) # show full-configuration

config vpn ssl settings

    set status enable

    set reqclientcert disable

    set ssl-max-proto-ver tls1-3    <- Maximum TLS Version Supported.

    set ssl-min-proto-ver tls1-2        <- Minimum TLS Version Supported.

 

Run the debugs:

 

# diag debug application sslvpn -1

# diag debug enable

 

Debugs output

 

[547:root:d8]allocSSLConn:306 sconn 0x7fc89ded3f00 (0:root)

[547:root:d8]SSL state:before SSL initialization (24.114.84.137)

[547:root:d8]SSL state:before SSL initialization (24.114.84.137)

[547:root:d8]SSL state:fatal protocol version (24.114.84.137)

[547:root:d8]SSL state:error:(null)(24.114.84.137)

[547:root:d8]SSL_accept failed, 1:unsupported protocol <-

[547:root:d8]Destroy sconn 0x7fc89ded3f00, connSize=0. (root)

 

Reason for this error:

 

The client and server do not support common SSL/TLS protocol versions or cipher suites.

 

Solution:

 

Option 1:

 

Reduce/Match the protocols on the host device (Windows example here).

 

Step 1: Control Panel -> Internet Options -> Advanced Tab -> Settings List.

 

Step 2: Scroll down to Security and look for SSL Versions.

                    

lgupta_0-1672083309359.png

 

Step 3: As shown in the above picture, the client is using TLS 1.1, but FortiGate supports minimum TLS 1.2.

 

Step 4: Select Use TLS 1.2 on the Client side to match the configuration on the FortiGate side.

 

Step 4: Apply and Save. Now it will be possible to connect successfully.

 

Option 2:

 

Change the Minimum and Maximum Protocol supported on the FortiGate.

 

FGT_A # config vpn ssl settings

FGT_A (settings) # set ssl-min-proto-ver ?

tls1-0    TLS version 1.0.

tls1-1    TLS version 1.1.

tls1-2    TLS version 1.2.

tls1-3    TLS version 1.3.

 

FGT_A (settings) # set ssl-max-proto-ver ?

tls1-0    TLS version 1.0.

tls1-1    TLS version 1.1.

tls1-2    TLS version 1.2.

tls1-3    TLS version 1.3.

 

After making the required changes, the user should be able to connect.

 

Noteit is possible to use any option 1 or 2; the protocol version must match on FortiGate and the Client Machine.

4135
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.