Created on
05-28-2025
10:17 PM
Edited on
08-26-2025
11:48 PM
By
Jean-Philippe_P
Description | This article describes how to troubleshoot an issue where users on the domain are not able to connect to an SSL VPN as the FortiGate after upgrade to v7.4.7. |
Scope | FortiGate. |
Solution |
After each upgrade, many domain users may be unable to connect to the SSL VPN. This issue is likely due to the hardening of TLS ciphers in newer firmware releases.
As a result, it may be necessary to adjust these settings, since user machines may rely on certificates that use hash algorithms no longer supported by the updated firmware.
Symptoms:
config vpn ssl settings set ssl-max-proto-ver tls1-3 end
While running the SSL VPN debug and simulating the issue, the following debug output can be observed, indicating 'no shared cipher':
FGT# diagnose debug app sslvpn -1
2025-05-08 16:34:35 [14989:root:97]allocSSLConn:312 sconn 0x7f2cba654800 (0:root)
Solution: Many domain users may have certificates that use weak cipher algorithms, such as SHA1 or MD5. In recent FortiGate versions, these algorithms are banned by default as part of enhanced security measures.
To resolve this issue, it is necessary to modify the set banned-cipher configuration to ban SHA1:
config vpn ssl settings set ssl-max-proto-ver tls1-3 end |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.