- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: FortiClient VPN - Error 6005
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiClient VPN - Error 6005
Hello All,
We just updated our organization to FortiClient 7.2.4.0972 and seem to be having issues.
A little background about our setup:
We have a FortiGate 200F running FortiOS 7.0.13
We use Single Sign-On integrated with Azure
We have a valid SSL certificate that is assigned to the VPN and SSO configurations
We were previously running FortiClient 7.0.2.090 and SAML login was working fine
After installing FortiClient 7.2.4.0972 it seems that some computers are unable to connect to the VPN. If you click the Sign-in button the window to sign into azure pops up, the authentication works fine, and then the window closes. Immediately the VPN begins connecting, and then shows disconnecting. A notification pops up saying that the FortiClient connection is down. FortiClient shows an error 6005 and a warning about a certificate error.
I looked through all of the FortiClient logs on the computer in C:\ProgramFiles and Appdata, but don't see anything noteworthy that would indicate where the issue is.
This is happening for multiple computers, but not all computers. I know all of the configuration is working because several devices are able to connect without issue using SAML. Trying to find the common link between the computers that are not working.
I did a debug on the firewall and this was the results
[310:root:d696]allocSSLConn:307 sconn 0x7f7d8cd5b900 (0:root)
[310:root:d696]SSL state:before SSL initialization (REMOTE IP)
[310:root:d696]SSL state:before SSL initialization (REMOTE IP)
[310:root:d696]got SNI server name: DOMAIN NAME realm (null)
[310:root:d696]client cert requirement: no
[310:root:d696]SSL state:SSLv3/TLS read client hello (REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS write server hello (REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS write certificate (REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS write key exchange (REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS write server done (REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS write server done:system lib(REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS write server done (REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS read client key exchange (REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS read change cipher spec (REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS read finished (REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS write session ticket (REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS write change cipher spec (REMOTE IP)
[310:root:d696]SSL state:SSLv3/TLS write finished (REMOTE IP)
[310:root:d696]SSL state:SSL negotiation finished successfully (REMOTE IP)
[310:root:d696]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[310:root:d696]req: /remote/saml/start
[310:root:d696]rmt_web_auth_info_parser_common:492 no session id in auth info
[310:root:d696]rmt_web_get_access_cache:841 invalid cache, ret=4103
[310:root:d696]sslvpn_auth_check_usrgroup:2978 forming user/group list from policy.
[310:root:d696]sslvpn_auth_check_usrgroup:3024 got user (0) group (2:0).
[310:root:d696]sslvpn_validate_user_group_list:1890 validating with SSL VPN authentication rules (2), realm ((null)).
[310:root:d696]sslvpn_validate_user_group_list:1975 checking rule 1 cipher.
[310:root:d696]sslvpn_validate_user_group_list:1983 checking rule 1 realm.
[310:root:d696]sslvpn_validate_user_group_list:1994 checking rule 1 source intf.
[310:root:d696]sslvpn_validate_user_group_list:2033 checking rule 1 vd source intf.
[310:root:d696]sslvpn_validate_user_group_list:2526 rule 1 done, got user (0:0) group (1:0) peer group (0).
[310:root:d696]sslvpn_validate_user_group_list:1975 checking rule 2 cipher.
[310:root:d696]sslvpn_validate_user_group_list:1983 checking rule 2 realm.
[310:root:d696]sslvpn_validate_user_group_list:1994 checking rule 2 source intf.
[310:root:d696]sslvpn_validate_user_group_list:2526 rule 2 done, got user (0:0) group (2:0) peer group (0).
[310:root:d696]sslvpn_validate_user_group_list:2534 got user (0:0) group (2:0) peer group (0).
[310:root:d696]sslvpn_validate_user_group_list:2876 got user (0:0), group (2:0) peer group (0).
[310:root:d696]sslvpn_update_user_group_list:1793 got user (0:0), group (2:0), peer group (0) after update.
[310:root:d696][fsv_found_saml_server_name_from_auth_lst:123] Found SAML server [azure] in group [Azure VPN Users]
[310:root:d696]Timeout for connection 0x7f7d8cd5b900.
[310:root:d696]Destroy sconn 0x7f7d8cd5b900, connSize=4. (root)
[310:root:d696]SSL state:warning close notify (REMOTE IP)
[312:root:d696]allocSSLConn:307 sconn 0x7f7d8cd56500 (0:root)
[312:root:d696]SSL state:before SSL initialization (REMOTE IP)
[312:root:d696]SSL state:before SSL initialization:DH lib(REMOTE IP)
[312:root:d696]SSL_accept failed, 5:(null)
[312:root:d696]Destroy sconn 0x7f7d8cd56500, connSize=1. (root)
[306:root:d696]allocSSLConn:307 sconn 0x7f7d8c12be00 (0:root)
[306:root:d696]SSL state:before SSL initialization (REMOTE IP)
[306:root:d696]SSL state:before SSL initialization:DH lib(REMOTE IP)
[306:root:d696]SSL_accept failed, 5:(null)
[306:root:d696]Destroy sconn 0x7f7d8c12be00, connSize=5. (root)
[307:root:d697]allocSSLConn:307 sconn 0x7f7d8cd56500 (0:root)
[307:root:d697]SSL state:before SSL initialization (REMOTE IP)
[307:root:d697]SSL state:before SSL initialization:DH lib(REMOTE IP)
[307:root:d697]SSL_accept failed, 5:(null)
[307:root:d697]Destroy sconn 0x7f7d8cd56500, connSize=2. (root)
Labels:
- Labels:
-
FortiClient
- « Previous
- Next »
25 REPLIES 25
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Confirmed for me as well.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I rolled back users with an issue from FortiClient 7.2.4 back to 7.2.2 or 7.2.3 and the VPN connection was successful.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I my case, the VPN stopped working from one day to another without any changes to configuration or software.
Some have mentioned Adobe certificates, which lead me to check the personal certificate store.
I had a weird CrossDevice certificate with a GUID in the name, and no provider information.
After I exported the certificate, I deleted it and now my Fortclient connects again.
Forticlient 7.0.10 with Azure SAML
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we had the same issue. Downgrading the Client to 7.2.3.0929 solved the issue
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It will be fixed in FCT 7.2.5 and 7.4.0 GA
Here is the workaround:
| 1: Move CA Certificate to corresponding folders instead of Personal store i.e. "Certificates (Current User)\Trusted Root Certification Authorities" or "Intermediate Certification Authorities" -> Valid for Windows 10/11 - internal/external browser 2: Remove CA cert from "Certificates (Current User)\Personal\Certificates" if not needed. -> Valid for Windows 10, Windows 11. 3: If tunnel doesn't require certificate authentication, set a certificate filter to NOT match any certificate. <certificate> <common_name> <match_type>wildcard</match_type> <pattern>*</pattern> </common_name> <issuer> <match_type>simple</match_type> <pattern>NOTHING</pattern> </issuer> </certificate> -> Valid for Windows 10/11 - internal/external browser 4: set <certs_require_keyspec>=1 <vpn> ... <options> ... <certs_require_keyspec>1</certs_require_keyspec> </options> </vpn> <certs_require_keyspec> config description: If this element is set to 0, FortiClient includes all certificates that have a NULL key specification when prompting the user to select a certificate. If this element is set to 1, FortiClient only lists certificates that include AT_KEYEXCHANGE/AT_SIGNATURE/CERT_NCRYPT_KEY_SPEC when prompting the user to select a certificate. The state of the key spec is only accessible by querying the certificate for its private key. If the certificate is on a smartcard or if the private key is password-protected, Windows requests a PIN/password. This can result in unwanted PIN/password prompts when the FortiClient GUI is opened. For example, it can result in PIN/password prompts when just viewing the Remote Access tab in the FortiClient GUI, potentially one prompt for each certificate on the smartcard. -> Valid for Windows 10/11 - internal/external browser |
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having this same issue running 7.2.7 has the problem been fixed in 7.2.8? I didn't see any notes listed in 7.2.8 of the SSL VPN client certificate issue being resolved.
- « Previous
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Forticlient 7.4 stuck at connecting 246 Views
- Fortinetclient SSL VPN Unable to use... 385 Views
- The connection is failing on FortiClient... 251 Views
- Support for FortiClient VPN 7.4 for... 935 Views
- FortiClient always loses the connection a... 373 Views
Labels
-
FortiGate
7,163 -
FortiClient
1,414 -
5.2
801 -
5.4
639 -
FortiManager
620 -
FortiAnalyzer
456 -
6.0
416 -
FortiAP
376 -
FortiSwitch
373 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
103 -
FortiGateCloud
97 -
FortiSIEM
93 -
FortiCloud Products
89 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
48 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiSandbox
34 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
LDAP
19 -
FortiPortal
18 -
Interface
18 -
FortiSwitch v6.2
17 -
Routing
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
Application control
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
SSL SSH inspection
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiAP profile
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1063 | |
| 889 | |
| 527 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.