- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forticlient 7.4 - Stuck at connecting and MFA/fortitoken not prompting on reconnect
After we upgraded Win10/11 clients to the Forticlient 7.4 version, we experienced the forever connecting issues like others. Additionally, we found that after supplying the fortitoken on the first connection, the subsequent attempt did not prompt for a token/code. This was repeatable behavior on the 7.4 client and occurred after an immediate reconnect and rebooting before reconnecting.
We worked with support to troubleshoot and found that backing down to Forticlient 7.0.13 resolved the connectivity and token issues. We do not pay for client support so our tech was unable to reach out to the client team on this MFA/token issue.
Has anyone else experienced this behavior in Forticlient 7.4?
Reinstalling the redistributable did not help with these issues either.
- Labels:
-
FortiClient
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
If you are using SAML, there is a known issue related with FortiClient 7.4
But following debugs may help you further when reproducing the issue:
get system status
config vpn ssl settings
Show full
get
end
diagnose debug reset
diagnose debug application sslvpn -1
diagnose debug application fnbamd -1
diagnose debug console timestamp enable
diagnose vpn ssl debug-filter src-addr4 x.x.x.x <---------------Clients Public IP
diagnose debug enable
diagnose debug application samld -1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if there is no token promt you could enter password+token in password field too.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is that we are connecting to VPN on subsequent attempts without being prompted for a token. This is using Fortitokens and not a third-party MFA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Can you please check the username, Fortigate is case sensitive by default.
Also for testing, can you try to remove the token and re-assign the token for a user and test the login again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are aware of the case sensitivity and that is not the issue here. We did revoke and reissue, with this fixing the problem. However, after a few connections, we found the Forticlient 7.4 experiencing the same behavior with the new token.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
just to avoid misunderstandings: what I wrote can also be done in FortClient. If it don't promt for Tokencode try to enter it behind the password in password field. FortiGate side will handle this.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue is more that the Forticlient is making a successful connection without prompting for the Fortitoken.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @shamalpha,
In that case, you need to collect debugs and check your configuration to make sure MFA is actually enabled for that user.
diagnose debug reset
diagnose debug application sslvpn -1
diagnose debug application fnbamd -1
diagnose debug console timestamp enable
diagnose vpn ssl debug-filter src-addr4 x.x.x.x <---------------Clients Public IP
diagnose debug enable
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We verified the debug logs with support on the call and examining the output. MFA was absolutely enabled both times. At the end of the call our Fortinet support agent agreed that this seemed like a client issue with MFA not prompting and continuing to connect successfully. Unfortunately without support on Forticlient, the tech was unable to reach out to the product development team.