Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MontanaMike
Contributor

Forticlient VPN Won't Connect

Good morning,

 

We have an issue that showed up this week (Tuesday) with two users VPN'ing from home.  They are getting a "The server want to connect to requests identification, please choose a certificate and try again. [-5]" error.  Interesting thing is that I don't require nor have we set up client certs for SSL VPN and it's only 2 users out of about 15 right now that are getting the error.  We are running a mix of Forticlient versions (6.0.9, 6.0.10 and some 7.2 versions) and don't have a support contract on the clients.  Another interesting thing is if we uninstall and remove it completely from their PCs  (Windows 10 and 11 are the two OS's) and install a new version as a test, it gets the same error.  Also...using a different Windows profile fails as well.


I found this article and followed the instructions and it's still not working: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-solve-The-server-you-want-to-connec...

 

I also found a few threads on Reddit that suggested an Adobe update could mess up the cert store but that seems to be a dead end.  Again...we don't require client certificates for SSL VPN auth.

Note:  No changes were made to the Fortigate so I don't think that's it.  Plus the other 1o-13 users aren't having any issues,

I'd appreciate any suggestions or at the very least, find others having the issue too.  Again...this just cropped up on Tuesday September 3rd.image.png

-Mike

-Mike
16 REPLIES 16
Shashwati
Staff
Staff

Hello 

Please try to uninstall the Forti client  using FCRemove tool and re install it again to test 

https://community.fortinet.com/t5/FortiClient/Technical-Tip-How-to-uninstall-a-managed-FortiClient-i...

MontanaMike
Contributor

We've tried that. 

-Mike

-Mike
Shashwati

Please run the debug command on Firewall to collect log while testing connection 

diagnose debug application sslvpn -1

diagnose debug application fnbamd -1
diagnose debug enable

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-Troubleshooting/ta-p/189542

MontanaMike

I'll run that on Monday when I can remote into the users workstation to initiate a connection attempt.

-Mike

-Mike
HarshChavda
Staff
Staff

Hello @MontanaMike ,

 

Did you tried to login their profile on web portal? 

As mentioned above you can take debugs and check if its hitting FortiGate or not. If its not hitting FortiGate can you please mention the Firmware version of FortiOS and also firmware version of the FortiClient that it is currently working with and the FortiClient version that they are trying currently.

MontanaMike

web portal is shut off.  I'll do the debugs on Monday and post back here.  Fortigate is running 7.4.4 (build 2662) and has been for a 102 days.  No changes there and this just started this week. At the client level they are running 6.0.10 however my helpdesk has removed, reinstalled it and has also tried newer versions with the same results.

-Mike

-Mike
MontanaMike
Contributor

I apologize for the delay.  We tested this AM and this is the results of the sslvpn -1 debug:

 

**note.  Domain names and IP's are masked with Xs.

[390:root:e3c]allocSSLConn:312 sconn 0x7f9b3f436800 (0:root)
[390:root:e3c]SSL state:before SSL initialization (XXX.XXX.XXX.XXX)
[390:root:e3c]SSL state:fatal decode error (XXX.XXX.XXX.XXX)
[390:root:e3c]SSL state:error:(null)(XXX.XXX.XXX.XXX)
[390:root:e3c]SSL_accept failed, 1:unexpected eof while reading
[390:root:e3c]Destroy sconn 0x7f9b3f436800, connSize=0. (root)
[391:root:e3c]allocSSLConn:312 sconn 0x7f9b3f50e800 (0:root)
[391:root:e3c]SSL state:before SSL initialization (XXX.XXX.XXX.XXX)
[391:root:e3c]SSL state:before SSL initialization (XXX.XXX.XXX.XXX)
[391:root:e3c]got SNI server name: vpn.xxxx.xxx realm (null)
[391:root:e3c]client cert requirement: no
[391:root:e3c]SSL state:fatal handshake failure (XXX.XXX.XXX.XXX)
[391:root:e3c]SSL state:error:(null)(XXX.XXX.XXX.XXX)
[391:root:e3c]SSL_accept failed, 1:no shared cipher
[391:root:e3c]Destroy sconn 0x7f9b3f50e800, connSize=0. (root)
[392:root:e3c]allocSSLConn:312 sconn 0x7f9b3f436800 (0:root)
[392:root:e3c]SSL state:before SSL initialization (XXX.XXX.XXX.XXX)
[392:root:e3c]SSL state:before SSL initialization (XXX.XXX.XXX.XXX)
[392:root:e3c]got SNI server name: vpn.xxxx.xxx realm (null)
[392:root:e3c]client cert requirement: no
[392:root:e3c]SSL state:fatal handshake failure (XXX.XXX.XXX.XXX)
[392:root:e3c]SSL state:error:(null)(XXX.XXX.XXX.XXX)
[392:root:e3c]SSL_accept failed, 1:no shared cipher
[392:root:e3c]Destroy sconn 0x7f9b3f436800, connSize=1. (root)
[393:root:e3c]allocSSLConn:312 sconn 0x7f9b3f50e000 (0:root)
[393:root:e3c]SSL state:before SSL initialization (XXX.XXX.XXX.XXX)
[393:root:e3c]SSL state:before SSL initialization (XXX.XXX.XXX.XXX)
[393:root:e3c]got SNI server name: vpn.xxxx.xxx realm (null)
[393:root:e3c]client cert requirement: no
[393:root:e3c]SSL state:fatal handshake failure (XXX.XXX.XXX.XXX)
[393:root:e3c]SSL state:error:(null)(XXX.XXX.XXX.XXX)
[393:root:e3c]SSL_accept failed, 1:no shared cipher
[393:root:e3c]Destroy sconn 0x7f9b3f50e000, connSize=1. (root)

the fnbamd -1 debug has a lot of data in that doesn't seem to pertain to just this connection.  I'm attempting to parse so it's just the pertinent info.

-Mike

-Mike
MontanaMike
Contributor

I honestly can't read the debug for fnbamd so here is the output with about 10 lines before the sslvpn debug and about 30 lines afterwards.  again, IPs and domain names are masked with Xs

[201] fnbamd_cert_load_certs_from_req-2 cert(s) in req.
[839] __cert_init-req_id=2164857489406
[888] __cert_build_chain-req_id=2164857489406
[319] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[337] fnbamd_chain_build-Following depth 0
[366] fnbamd_chain_build-Extend chain by system trust store. (no luck)
[420] fnbamd_chain_build-Extend chain by peer-provided certs. (good)
[337] fnbamd_chain_build-Following depth 1
[372] fnbamd_chain_build-Extend chain by system trust store. (good: 'DigiCert_Global_Root_G2')
[337] fnbamd_chain_build-Following depth 2
[351] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[1010] __cert_verify-req_id=2164857489406
[1011] __cert_verify-Chain is complete.
[536] fnbamd_cert_verify-Chain number:3
[550] fnbamd_cert_verify-Following cert chain depth 0
[550] fnbamd_cert_verify-Following cert chain depth 1
[625] fnbamd_cert_verify-Issuer found: DigiCert_Global_Root_G2 (SSL_DPI opt 1)
[550] fnbamd_cert_verify-Following cert chain depth 2
[687] fnbamd_cert_check_group_list-group list is empty, match any!
[198] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[1051] __cert_verify_do_next-req_id=2164857489406
[99] __cert_chg_st- 'Validation' -> 'Done'
[1098] __cert_done-req_id=2164857489406
[1523] fnbamd_auth_session_done-Session done, id=2164857489406
[1144] __fnbamd_cert_auth_run-Exit, req_id=2164857489406
[1566] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=2164857489406
[1479] auth_cert_success-id=2164857489406
[1256] fnbamd_cert_auth_copy_cert_status-req_id=2164857489406
[1295] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1312] fnbamd_cert_auth_copy_cert_status-Issuer of cert depth 0 is not detected in CMDB.
[1383] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=2164857489406
[239] fnbamd_comm_send_result-Sending result 0 (nid 673) for req 2164857489406, len=2592
[1354] destroy_auth_cert_session-id=2164857489406
[1228] fnbamd_cert_auth_uninit-req_id=2164857489406
[1830] fnbamd_ldaps_destroy-
[1263] fnbamd_rads_destroy-
[395:root:e3c]allocSSLConn:312 sconn 0x7f9b3e800800 (0:root)
[395:root:e3c]SSL state:before SSL initialization (xxx.xxx.xxx)
[395:root:e3c]SSL state:fatal decode error (xxx.xxx.xxx)
[395:root:e3c]SSL state:error:(null)(xxx.xxx.xxx)
[395:root:e3c]SSL_accept failed, 1:unexpected eof while reading
[395:root:e3c]Destroy sconn 0x7f9b3e800800, connSize=1. (root)
[396:root:e3c]allocSSLConn:312 sconn 0x7f9b3f454800 (0:root)
[396:root:e3c]SSL state:before SSL initialization (xxx.xxx.xxx)
[396:root:e3c]SSL state:before SSL initialization (xxx.xxx.xxx)
[396:root:e3c]got SNI server name: vpn.xxx.xxx realm (null)
[396:root:e3c]client cert requirement: no
[396:root:e3c]SSL state:fatal handshake failure (xxx.xxx.xxx)
[396:root:e3c]SSL state:error:(null)(xxx.xxx.xxx)
[396:root:e3c]SSL_accept failed, 1:no shared cipher
[396:root:e3c]Destroy sconn 0x7f9b3f454800, connSize=1. (root)
[397:root:e3c]allocSSLConn:312 sconn 0x7f9b3e7cb800 (0:root)
[397:root:e3c]SSL state:before SSL initialization (xxx.xxx.xxx)
[397:root:e3c]SSL state:before SSL initialization (xxx.xxx.xxx)
[397:root:e3c]got SNI server name: vpn.xxx.xxx realm (null)
[397:root:e3c]client cert requirement: no
[397:root:e3c]SSL state:fatal handshake failure (xxx.xxx.xxx)
[397:root:e3c]SSL state:error:(null)(xxx.xxx.xxx)
[397:root:e3c]SSL_accept failed, 1:no shared cipher
[397:root:e3c]Destroy sconn 0x7f9b3e7cb800, connSize=2. (root)
[398:root:e3c]allocSSLConn:312 sconn 0x7f9b3e832000 (0:root)
[398:root:e3c]SSL state:before SSL initialization (xxx.xxx.xxx)
[398:root:e3c]SSL state:before SSL initialization (xxx.xxx.xxx)
[398:root:e3c]got SNI server name: vpn.xxx.xxx realm (null)
[398:root:e3c]client cert requirement: no
[398:root:e3c]SSL state:fatal handshake failure (xxx.xxx.xxx)
[398:root:e3c]SSL state:error:(null)(xxx.xxx.xxx)
[398:root:e3c]SSL_accept failed, 1:no shared cipher
[398:root:e3c]Destroy sconn 0x7f9b3e832000, connSize=0. (root)
[2369] handle_req-Rcvd auth_cert req id=2182037149330, len=3730, opt=0
[1161] __cert_auth_ctx_init-req_id=2182037149330, opt=0
[103] __cert_chg_st- 'Init'
[201] fnbamd_cert_load_certs_from_req-2 cert(s) in req.
[839] __cert_init-req_id=2182037149330
[888] __cert_build_chain-req_id=2182037149330
[319] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[337] fnbamd_chain_build-Following depth 0
[366] fnbamd_chain_build-Extend chain by system trust store. (no luck)
[420] fnbamd_chain_build-Extend chain by peer-provided certs. (good)
[337] fnbamd_chain_build-Following depth 1
[372] fnbamd_chain_build-Extend chain by system trust store. (good: 'ISRG_Root_X1')
[337] fnbamd_chain_build-Following depth 2
[351] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[1010] __cert_verify-req_id=2182037149330
[1011] __cert_verify-Chain is complete.
[536] fnbamd_cert_verify-Chain number:3
[550] fnbamd_cert_verify-Following cert chain depth 0
[550] fnbamd_cert_verify-Following cert chain depth 1
[625] fnbamd_cert_verify-Issuer found: ISRG_Root_X1 (SSL_DPI opt 1)
[550] fnbamd_cert_verify-Following cert chain depth 2
[687] fnbamd_cert_check_group_list-group list is empty, match any!
[198] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[1051] __cert_verify_do_next-req_id=2182037149330
[99] __cert_chg_st- 'Validation' -> 'Done'
[1098] __cert_done-req_id=2182037149330
[1523] fnbamd_auth_session_done-Session done, id=2182037149330
[1144] __fnbamd_cert_auth_run-Exit, req_id=2182037149330
[1566] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=2182037149330
[1479] auth_cert_success-id=2182037149330
[1256] fnbamd_cert_auth_copy_cert_status-req_id=2182037149330
[1295] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1312] fnbamd_cert_auth_copy_cert_status-Issuer of cert depth 0 is not detected in CMDB.
[1383] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=2182037149330
[239] fnbamd_comm_send_result-Sending result 0 (nid 672) for req 2182037149330, len=2592
[1354] destroy_auth_cert_session-id=2182037149330
[1228] fnbamd_cert_auth_uninit-req_id=2182037149330
[1830] fnbamd_ldaps_destroy-
[1263] fnbamd_rads_destroy-
[2369] handle_req-Rcvd auth_cert req id=2182037149331, len=6090, opt=0
[1161] __cert_auth_ctx_init-req_id=2182037149331, opt=0
[103] __cert_chg_st- 'Init'
[201] fnbamd_cert_load_certs_from_req-4 cert(s) in req.
[839] __cert_init-req_id=2182037149331
[888] __cert_build_chain-req_id=2182037149331
[319] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[337] fnbamd_chain_build-Following depth 0
[366] fnbamd_chain_build-Extend chain by system trust store. (no luck)
[420] fnbamd_chain_build-Extend chain by peer-provided certs. (good)
[337] fnbamd_chain_build-Following depth 1
[372] fnbamd_chain_build-Extend chain by system trust store. (good: 'Amazon_Root_CA_1')
[337] fnbamd_chain_build-Following depth 2
[351] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[1010] __cert_verify-req_id=2182037149331
[1011] __cert_verify-Chain is complete.
[536] fnbamd_cert_verify-Chain number:3
[550] fnbamd_cert_verify-Following cert chain depth 0
[550] fnbamd_cert_verify-Following cert chain depth 1
[625] fnbamd_cert_verify-Issuer found: Amazon_Root_CA_1 (SSL_DPI opt 1)
[550] fnbamd_cert_verify-Following cert chain depth 2
[687] fnbamd_cert_check_group_list-group list is empty, match any!
[198] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[1051] __cert_verify_do_next-req_id=2182037149331
[99] __cert_chg_st- 'Validation' -> 'Done'
[1098] __cert_done-req_id=2182037149331
[1523] fnbamd_auth_session_done-Session done, id=2182037149331
[1144] __fnbamd_cert_auth_run-Exit, req_id=2182037149331
[1566] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=2182037149331
[1479] auth_cert_success-id=2182037149331
[1256] fnbamd_cert_auth_copy_cert_status-req_id=2182037149331
[1295] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1312] fnbamd_cert_auth_copy_cert_status-Issuer of cert depth 0 is not detected in CMDB.
[1383] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=2182037149331
[239] fnbamd_comm_send_result-Sending result 0 (nid 672) for req 2182037149331, len=2592
[1354] destroy_auth_cert_session-id=2182037149331
[1228] fnbamd_cert_auth_uninit-req_id=2182037149331
[1830] fnbamd_ldaps_destroy-
[1263] fnbamd_rads_destroy-
[2369] handle_req-Rcvd auth_cert req id=2182037149332, len=6787, opt=0
[1161] __cert_auth_ctx_init-req_id=2182037149332, opt=0
[103] __cert_chg_st- 'Init'
[201] fnbamd_cert_load_certs_from_req-4 cert(s) in req.
[839] __cert_init-req_id=2182037149332
[888] __cert_build_chain-req_id=2182037149332
[319] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[337] fnbamd_chain_build-Following depth 0
[366] fnbamd_chain_build-Extend chain by system trust store. (no luck)
[420] fnbamd_chain_build-Extend chain by peer-provided certs. (good)
[337] fnbamd_chain_build-Following depth 1
[372] fnbamd_chain_build-Extend chain by system trust store. (good: 'USERTrust_RSA_Certification_Authority')

-Mike

-Mike
samandeep
Staff
Staff

Hello @mike 

 

Could you please verify if you have configured a local-in policy on the SSLVPN service? If so, is virtual patching enabled within that local-in policy?

 

Document Referred: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Client-Certificate-SSL-VPN-authentic...

 

Thanks,

Amandeep

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors