In this scenario, the user has a FortiClient integrated with FortiSASE through Zero Trust Telemetry.

The user is trying to connect to the SSL VPN tunnel on a remote FortiGate device. While establishing the tunnel, the SSL VPN connection was stuck at 40%.

The user ran the following debug commands on the remote FortiGate device where they were trying to establish the tunnel:

diagnose debug application sslvpn -1
diagnose debug application fnbamd -1
diagnose debug enable

The debugging shows the following output:

[248:root:12]SSL state:fatal decode error (103.128.250.2xx)
[248:root:0]ap_read,105, error=1, errno=0 ssl 0x7f78760000 Success. error:0A000126:SSL routines::unexpected eof while reading
[248:root:12]sslvpn_read_request_common,863, ret=-1 error=-1, sconn=0x7f792e3800.
[248:root:12]Destroy sconn 0x7f792e3800, connSize=1. (root)

Solution:

Make sure the following settings are enabled:

Endpoints -> Profiles -> 'Select the profile assigned to endpoint' -> Profile configuration -> Connection, under SSL_VPN settings, enable Accept invalid server certificate.