| Description | This article describes how to troubleshoot an issue where users are not able to connect to an SSL VPN as the FortiGate may have banned all the cipher suites supported by an SSL VPN client. |
| Scope | FortiGate. |
| Solution |
FortiGate has options to control the TLS versions and cipher suites used for SSL-VPN. If there are changes in supported TLS versions and cipher suites, there needs to be at least one cipher that matches between the SSL VPN client and FortiGate.
config vpn ssl settings set ssl-max-proto-ver tls1-3 end
The SSL VPN user trying to connect to the SSL VPN via FortiClient got the following error code (-5029):
FGT# diag debug app sslvpn -1 [1956:root:19d]allocSSLConn:310 sconn 0x7f257e654800 (0:root)
If there are only certain devices affected by this issue, initial checking can be done on the user side by identifying what TLS versions are enabled and what ciphers are being offered. This KB article: Technical Tip: Checking the TLS cipher suites offered by Windows device can be followed to determine the TLS cipher suites offered by Windows devices.
Enumerated above are the ciphers offered by the SSL VPN client and only TLS v1.1 and v1.2 are enabled in Internet properties.
Doing an NMAP scan in the FortiGate to see what ciphers are supported for SSL VPN shows the following output below. The minimum TLS version supported is TLS v1.2 and the maximum is TLS v1.3.
Comparing the ciphers offered by the SSL VPN client and what is supported by the FortiGate, there is no cipher shared between the client and server. TLS v1.3 is also disabled on the client side while TLS v1.1 is not supported by FortiGate.
To solve this issue, remove all of the cipher suites that are banned or slowly add them one by one in the FortiGate SSL VPN settings until there is a match. |
