Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fnilsen
New Contributor

Error connecting to SSL VPN with Forticlient

Sorry if this has been posted before, but I haven't found any solution in any existing posts.

 

I have just setup SSL-VPN on my FG100D with FortiOS 6.2.3 build 1066, but are having some issues when connecting with FortiClient 6.4.0.1464.

 

When getting to 80% is says: "unable to establish the vpn connection. the vpn server may be unreachable. (-14)"

 

I can login to the web portal page with the same user/pass, so that should be OK. I have also tested with another user.

Users are created locally on the FW and added to a group "VPN_Local_Users")

 

Have also tested from multiple computers.

 

Any ideas?

 

See attached log file for more details.sslvpn-log.txt

 

4 REPLIES 4
Yogesh
New Contributor

Hi,

 

Is this issue on Windows OS? If so, did you check if TLS is enabled under Internet Options > Advanced Settings? 

 

Regards,

Yogesh

Fnilsen
New Contributor

Stupid error....

But if it helps someone else:

I forgot to enable Tunnel Mode...

 

SSL-VPN Portals - edit portal

-Disable Split Tunneling

-Enable Tunnel Mode

Source IP Pools: SSLVPN_TUNNEL-ADDR1

 

Now it works with my local test user.

 

Still getting exactly the same error when trying an LDAP user. (have added the LDAP user group to the policy and mapped to portal etc...will start investegate. Tips are appreciated :)

Fnilsen
New Contributor

Update:

Not beeing able to login with an AD user seems to be something with username/CNI context.

 

My test AD user:

Firstname: Test

Lastname: Testing

username: Testuser

In OU: Testusers

 

Scenario 1:

FG LDAP config:

Common Name Identifier: cn

Distinguished Name: OU=Testusers,DC=test,DC=local

 

Try to login to Forticlient / Webportal

User: Test Testing  --  Login [style="background-color: #00ff00;"]OK![/style]

User: Testuser  --  [style="background-color: #ff0000;"]Not OK[/style] (server unreachable (-14) blabla) or "access denied"

 

Scenario 2:

FG LDAP config:

Common Name Identifier: sAMAccountName

Distinguished Name: OU=Testusers,DC=test,DC=local

 

Try to login to Forticlient / Webportal

User: Test Testing  --  [style="background-color: #ff0000;"]Not OK[/style] (server unreachable (-14) blabla) or "access denied"

User: Testuser  --  [style="background-color: #ff0000;"]Not OK[/style] (server unreachable (-14) blabla) or "access denied"

 

Any ideas???

shehab
New Contributor III

Hello Frined,

If you are still having this issue, I have some hints for you, or otherwise please share the solution is it was already resolved.

 

From the attached log, I can see you are using Forticlient on Windows machine.

 

Just check from your Firewall the ssl-min and max allowed protocols by the using the following commands: 

 

config firewall ssl-server show full-configuration | grep ssl-min-version show full-configuration | grep ssl-max-version

 

Then according to the output, modify the register of the PC by going to the following path:

 

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

 

Make sure you have the key of the protocol you have found from the first step, ( at least one match ).

 

If not , the client and the fortigate are not having a common protocol to handshake by.

 

Also, if you want to add a new ssl protocol ( avoiding weak once ) you can create a key and and define 

DWORD Value named as Enabled with a value of 1 , then restart the pc and try the vpn.

 

I hope this will help you.

 

Regards,

Shehab

Top Kudoed Authors