FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Joe-S
Staff
Staff
Article Id 394050
Description This article describes how to troubleshoot an issue where users on the domain are not able to connect to an SSL VPN as the FortiGate after upgrade to v7.4.7.
Scope FortiGate.
Solution

After each upgrade, many domain users may be unable to connect to the SSL VPN. This issue is likely due to the hardening of TLS ciphers in newer firmware releases.

 

As a result, it may be necessary to adjust these settings, since user machines may rely on certificates that use hash algorithms no longer supported by the updated firmware.

 

Symptoms:

  • Users that not belong to a domain can connect successfully.
  • Users who belong to a domain are unable to connect.

 

config vpn ssl settings

    set ssl-max-proto-ver tls1-3
    set ssl-min-proto-ver tls1-2
    set banned-cipher SHA256 SHA384
    set ciphersuite TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
    set algorithm high

end

 

While running the SSL VPN debug and simulating the issue, the following debug output can be observed, indicating 'no shared cipher':

 

FGT# diagnose debug app sslvpn -1
FGT# diagnose debug enable

 

2025-05-08 16:34:35 [14989:root:97]allocSSLConn:312 sconn 0x7f2cba654800 (0:root)
2025-05-08 16:34:35 [14989:root:97]SSL state:before SSL initialization (179.19.57.171)
2025-05-08 16:34:35 [14989:root:97]SSL state:before SSL initialization (179.19.57.171)
2025-05-08 16:34:35 [14989:root:97]got SNI server name: fcvpnclienttosite.financieracomultrasan.com.co realm (null)
2025-05-08 16:34:35 [14989:root:97]client cert requirement: no
2025-05-08 16:34:35 [14989:root:97]SSL state:fatal handshake failure (179.19.57.171)
2025-05-08 16:34:35 [14989:root:97]SSL state:error:(null)(179.19.57.171)
2025-05-08 16:34:35 [14989:root:97]SSL_accept failed, 1:no shared cipher
2025-05-08 16:34:35 [14989:root:97]Destroy sconn 0x7f2cba654800, connSize=2. (root)
2025-05-08 16:34:35 [2388] handle_req-Rcvd auth_cert req id=2194746486197, len=4238, opt=0
2025-05-08 16:34:35 [1161] __cert_auth_ctx_init-req_id=2194746486197, opt=0
2025-05-08 16:34:35 [103] __cert_chg_st- 'Init'

 

Solution:

Many domain users may have certificates that use weak cipher algorithms, such as SHA1 or MD5. In recent FortiGate versions, these algorithms are banned by default as part of enhanced security measures.

 

To resolve this issue, it is necessary to modify the set banned-cipher configuration to ban SHA1:

 

config vpn ssl settings

    set ssl-max-proto-ver tls1-3
    set ssl-min-proto-ver tls1-2
    set banned-cipher SHA1 SHA256 SHA384
    set ciphersuite TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
    set algorithm high

end