Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dbugeja
New Contributor

FortiClient VPN (New issue)

I have another issue with forticlient VPN saying: credential or ssl vpn configuration is wrong (-7200). I reinstalled Forticlient VPN for someone and configured his VPN to his requirements. Afterwards I clicked SAML login and that was when the issue appeared. I checked internet options and only enabled TLS 1.2, I tried adding the remote gateway as a trusted site and clearing SSL State from internet options and inside the VPN configuration I enabled Single Sign On (SSO) for VPN Tunnel. I also tried to enable VPN before logon and do not warn Invalid Server Certificate. None of them fixed the issue I currently have, and the connection name and remote gateway of the configured VPN are correct. So, what else can I do to fix the problem?

3 REPLIES 3
mturic
Staff
Staff

Hi,

 

running the following debugs on the FGT should give some better understanding on where exactly is it failing.

 

diag debug reset

diag debug console timestamp enable

diag debug app samld -1

diag debug app sslvpn -1

diag debug enable

 

Does the SAML IdP window appear at all after clicking on the SSO login in FortiClient?
Not sure if you've seen it, but you can check these articles to verify if your SAML setup is correct:
https://community.fortinet.com/t5/FortiClient/Technical-Tip-SAML-for-SSL-VPN-Tunnel-mode-FortiClient...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-SSL-VPN-with-Azure-SAML-SSO-Authent...

https://docs.fortinet.com/document/forticlient/6.4.0/new-features/402514/saml-support-for-ssl-vpn

dbugeja
New Contributor

Regarding the SAML idp window, every time I click saml login a window pop us where I don't need to login with my credential for the connection to work and how do I run these debugs you mentioned in FortiClient VPN?

mturic

These debugs need to be enabled on the FortiGate CLI, you can connect to it over SSH by following this article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-create-a-log-file-of-a-session-usin...

 

As for the pop-up, you would need to log in once in the IdP window with the necessary credentials, so that the FortiClient can authenticate you.

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors