Hello All,
We just updated our organization to FortiClient 7.2.4.0972 and seem to be having issues.
A little background about our setup:
We have a FortiGate 200F running FortiOS 7.0.13
We use Single Sign-On integrated with Azure
We have a valid SSL certificate that is assigned to the VPN and SSO configurations
We were previously running FortiClient 7.0.2.090 and SAML login was working fine
After installing FortiClient 7.2.4.0972 it seems that some computers are unable to connect to the VPN. If you click the Sign-in button the window to sign into azure pops up, the authentication works fine, and then the window closes. Immediately the VPN begins connecting, and then shows disconnecting. A notification pops up saying that the FortiClient connection is down. FortiClient shows an error 6005 and a warning about a certificate error.
I looked through all of the FortiClient logs on the computer in C:\ProgramFiles and Appdata, but don't see anything noteworthy that would indicate where the issue is.
This is happening for multiple computers, but not all computers. I know all of the configuration is working because several devices are able to connect without issue using SAML. Trying to find the common link between the computers that are not working.
I did a debug on the firewall and this was the results
[310:root:d696]allocSSLConn:307 sconn 0x7f7d8cd5b900 (0:root)
[310:root:d696]SSL state:before SSL initialization (REMOTE IP)
[310:root:d696]SSL state:before SSL initialization (REMOTE IP)
[310:root:d696]got SNI server name: DOMAIN NAME realm (null)
[310:root:d696]client cert requirement: no
[310:root:d696]SSL state:SSLv3/TLS read client hello (REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS write server hello (REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS write certificate (REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS write key exchange (REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS write server done (REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS write server done:system lib(REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS write server done (REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS read client key exchange (REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS read change cipher spec (REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS read finished (REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS write session ticket (REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS write change cipher spec (REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS write finished (REMOTE IP)
[310:root:d696]SSL state:SSL negotiation finished successfully (REMOTE IP)
[310:root:d696]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[310:root:d696]req: /remote/saml/start
[310:root:d696]rmt_web_auth_info_parser_common:492 no session id in auth info
[310:root:d696]rmt_web_get_access_cache:841 invalid cache, ret=4103
[310:root:d696]sslvpn_auth_check_usrgroup:2978 forming user/group list from policy.
[310:root:d696]sslvpn_auth_check_usrgroup:3024 got user (0) group (2:0).
[310:root:d696]sslvpn_validate_user_group_list:1890 validating with SSL VPN authentication rules (2), realm ((null)).
[310:root:d696]sslvpn_validate_user_group_list:1975 checking rule 1 cipher.
[310:root:d696]sslvpn_validate_user_group_list:1983 checking rule 1 realm.
[310:root:d696]sslvpn_validate_user_group_list:1994 checking rule 1 source intf.
[310:root:d696]sslvpn_validate_user_group_list:2033 checking rule 1 vd source intf.
[310:root:d696]sslvpn_validate_user_group_list:2526 rule 1 done, got user (0:0) group (1:0) peer group (0).
[310:root:d696]sslvpn_validate_user_group_list:1975 checking rule 2 cipher.
[310:root:d696]sslvpn_validate_user_group_list:1983 checking rule 2 realm.
[310:root:d696]sslvpn_validate_user_group_list:1994 checking rule 2 source intf.
[310:root:d696]sslvpn_validate_user_group_list:2526 rule 2 done, got user (0:0) group (2:0) peer group (0).
[310:root:d696]sslvpn_validate_user_group_list:2534 got user (0:0) group (2:0) peer group (0).
[310:root:d696]sslvpn_validate_user_group_list:2876 got user (0:0), group (2:0) peer group (0).
[310:root:d696]sslvpn_update_user_group_list:1793 got user (0:0), group (2:0), peer group (0) after update.
[310:root:d696][fsv_found_saml_server_name_from_auth_lst:123] Found SAML server [azure] in group [Azure VPN Users]
[310:root:d696]Timeout for connection 0x7f7d8cd5b900.
[310:root:d696]Destroy sconn 0x7f7d8cd5b900, connSize=4. (root)
[310:root:d696]SSL state:warning close notify (REMOTE IP)
[312:root:d696]allocSSLConn:307 sconn 0x7f7d8cd56500 (0:root)
[312:root:d696]SSL state:before SSL initialization (REMOTE IP)
[312:root:d696]SSL state:before SSL initialization:DH lib(REMOTE IP)
[312:root:d696]SSL_accept failed, 5:(null)
[312:root:d696]Destroy sconn 0x7f7d8cd56500, connSize=1. (root)
[306:root:d696]allocSSLConn:307 sconn 0x7f7d8c12be00 (0:root)
[306:root:d696]SSL state:before SSL initialization (REMOTE IP)
[306:root:d696]SSL state:before SSL initialization:DH lib(REMOTE IP)
[306:root:d696]SSL_accept failed, 5:(null)
[306:root:d696]Destroy sconn 0x7f7d8c12be00, connSize=5. (root)
[307:root:d697]allocSSLConn:307 sconn 0x7f7d8cd56500 (0:root)
[307:root:d697]SSL state:before SSL initialization (REMOTE IP)
[307:root:d697]SSL state:before SSL initialization:DH lib(REMOTE IP)
[307:root:d697]SSL_accept failed, 5:(null)
[307:root:d697]Destroy sconn 0x7f7d8cd56500, connSize=2. (root)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Confirmed for me as well.
I rolled back users with an issue from FortiClient 7.2.4 back to 7.2.2 or 7.2.3 and the VPN connection was successful.
I my case, the VPN stopped working from one day to another without any changes to configuration or software.
Some have mentioned Adobe certificates, which lead me to check the personal certificate store.
I had a weird CrossDevice certificate with a GUID in the name, and no provider information.
After I exported the certificate, I deleted it and now my Fortclient connects again.
Forticlient 7.0.10 with Azure SAML
It will be fixed in FCT 7.2.5 and 7.4.0 GA
Here is the workaround:
1: Move CA Certificate to corresponding folders instead of Personal store i.e. "Certificates (Current User)\Trusted Root Certification Authorities" or "Intermediate Certification Authorities" -> Valid for Windows 10/11 - internal/external browser 2: Remove CA cert from "Certificates (Current User)\Personal\Certificates" if not needed. -> Valid for Windows 10, Windows 11. 3: If tunnel doesn't require certificate authentication, set a certificate filter to NOT match any certificate. <certificate> <common_name> <match_type>wildcard</match_type> <pattern>*</pattern> </common_name> <issuer> <match_type>simple</match_type> <pattern>NOTHING</pattern> </issuer> </certificate> -> Valid for Windows 10/11 - internal/external browser 4: set <certs_require_keyspec>=1 <vpn> ... <options> ... <certs_require_keyspec>1</certs_require_keyspec> </options> </vpn> <certs_require_keyspec> config description: If this element is set to 0, FortiClient includes all certificates that have a NULL key specification when prompting the user to select a certificate. If this element is set to 1, FortiClient only lists certificates that include AT_KEYEXCHANGE/AT_SIGNATURE/CERT_NCRYPT_KEY_SPEC when prompting the user to select a certificate. The state of the key spec is only accessible by querying the certificate for its private key. If the certificate is on a smartcard or if the private key is password-protected, Windows requests a PIN/password. This can result in unwanted PIN/password prompts when the FortiClient GUI is opened. For example, it can result in PIN/password prompts when just viewing the Remote Access tab in the FortiClient GUI, potentially one prompt for each certificate on the smartcard. -> Valid for Windows 10/11 - internal/external browser |
I am having this same issue running 7.2.7 has the problem been fixed in 7.2.8? I didn't see any notes listed in 7.2.8 of the SSL VPN client certificate issue being resolved.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.