Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dwickramasinghe1
Staff
Staff

Created on ‎03-28-2025 06:47 AM

Article Id 384538

Troubleshooting Tip: Troubleshooting PKI matching errors with FortiGate SSL VPN as a client

Description This article describes how to troubleshoot PKI authentication issues when FortiGate is acting as an SSL VPN client.
Scope FortiGate, SSLVPN
Solution

FortiGate can be used as an SSL VPN Client to connect with another FortiGate acting as an SSL VPN server.
FortiGate will use certificate-based authentication as a part of the process to bring the tunnel up.

During the initial negotiation of the tunnel, the FortiGate SSL VPN Server will send out the SSL VPN Server certificate to the FortiGate SSL VPN Client. From here, the SSL VPN Client must match this certificate to a PKI user. A PKI user must be configured with the corresponding CA certificate. 

This article assumes that the initial configuration has been completed but there are issues with the tunnel coming up.

Technical Tip: FortiGate configuration as SSL VPN Hub (server) and Spoke (client) provides an overview on how this configuration can be completed.

To find out if a PKI matching error is occurring, it is beneficial to run the following debug commands on the FortiGate SSL VPN Client:

 

diagnose debug app sslvpn -1
diagnose debug app fnbamd -1
diagnose debug en


If the error below shows up, this can indicate that there is a misconfiguration with the FortiGate SSL VPN Client PKI user. 

[1284] fnbamd_cert_auth_copy_cert_status-req_id=1
[899] fnbamd_cert_check_matched_groups-checking group with name '<pki user>'
[969] fnbamd_cert_check_matched_groups-not matched

To resolve this, ensure that the correct CA is specified for the PKI user on the FortiGate SSLVPN Client:

Select User & Authentication -> PKI -> Select the corresponding PKI user configured in the SSL VPN Client settings.

Change the 'CA' option to match with the SSL VPN Server Certificate. 

Note:

The CA certificate must be imported into the FortiGate Certificate Store first before selecting the correct CA.

SSLVPNClient.jpg
After configuring the correct CA certificate, the debug logs should show that the PKI user matches.

[1292] fnbamd_cert_auth_copy_cert_status-Matched peer user '<pkiuser>'
[899] fnbamd_cert_check_matched_groups-checking group with name '<pkiuser>'
[961] fnbamd_cert_check_matched_groups-matched

Related article:
Technical Tip: FortiGate configuration as SSL VPN Hub (server) and Spoke (client)
Labels:
90
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.