Good morning,
We have an issue that showed up this week (Tuesday) with two users VPN'ing from home. They are getting a "The server want to connect to requests identification, please choose a certificate and try again. [-5]" error. Interesting thing is that I don't require nor have we set up client certs for SSL VPN and it's only 2 users out of about 15 right now that are getting the error. We are running a mix of Forticlient versions (6.0.9, 6.0.10 and some 7.2 versions) and don't have a support contract on the clients. Another interesting thing is if we uninstall and remove it completely from their PCs (Windows 10 and 11 are the two OS's) and install a new version as a test, it gets the same error. Also...using a different Windows profile fails as well.
I found this article and followed the instructions and it's still not working: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-solve-The-server-you-want-to-connec...
I also found a few threads on Reddit that suggested an Adobe update could mess up the cert store but that seems to be a dead end. Again...we don't require client certificates for SSL VPN auth.
Note: No changes were made to the Fortigate so I don't think that's it. Plus the other 1o-13 users aren't having any issues,
I'd appreciate any suggestions or at the very least, find others having the issue too. Again...this just cropped up on Tuesday September 3rd.
-Mike
Hello
Please try to uninstall the Forti client using FCRemove tool and re install it again to test
We've tried that.
-Mike
Please run the debug command on Firewall to collect log while testing connection
diagnose debug application sslvpn -1
diagnose debug application fnbamd -1
diagnose debug enable
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-Troubleshooting/ta-p/189542
I'll run that on Monday when I can remote into the users workstation to initiate a connection attempt.
-Mike
Hello @MontanaMike ,
Did you tried to login their profile on web portal?
As mentioned above you can take debugs and check if its hitting FortiGate or not. If its not hitting FortiGate can you please mention the Firmware version of FortiOS and also firmware version of the FortiClient that it is currently working with and the FortiClient version that they are trying currently.
web portal is shut off. I'll do the debugs on Monday and post back here. Fortigate is running 7.4.4 (build 2662) and has been for a 102 days. No changes there and this just started this week. At the client level they are running 6.0.10 however my helpdesk has removed, reinstalled it and has also tried newer versions with the same results.
-Mike
I apologize for the delay. We tested this AM and this is the results of the sslvpn -1 debug:
**note. Domain names and IP's are masked with Xs.
[390:root:e3c]allocSSLConn:312 sconn 0x7f9b3f436800 (0:root)
[390:root:e3c]SSL state:before SSL initialization (XXX.XXX.XXX.XXX)
[390:root:e3c]SSL state:fatal decode error (XXX.XXX.XXX.XXX)
[390:root:e3c]SSL state:error:(null)(XXX.XXX.XXX.XXX)
[390:root:e3c]SSL_accept failed, 1:unexpected eof while reading
[390:root:e3c]Destroy sconn 0x7f9b3f436800, connSize=0. (root)
[391:root:e3c]allocSSLConn:312 sconn 0x7f9b3f50e800 (0:root)
[391:root:e3c]SSL state:before SSL initialization (XXX.XXX.XXX.XXX)
[391:root:e3c]SSL state:before SSL initialization (XXX.XXX.XXX.XXX)
[391:root:e3c]got SNI server name: vpn.xxxx.xxx realm (null)
[391:root:e3c]client cert requirement: no
[391:root:e3c]SSL state:fatal handshake failure (XXX.XXX.XXX.XXX)
[391:root:e3c]SSL state:error:(null)(XXX.XXX.XXX.XXX)
[391:root:e3c]SSL_accept failed, 1:no shared cipher
[391:root:e3c]Destroy sconn 0x7f9b3f50e800, connSize=0. (root)
[392:root:e3c]allocSSLConn:312 sconn 0x7f9b3f436800 (0:root)
[392:root:e3c]SSL state:before SSL initialization (XXX.XXX.XXX.XXX)
[392:root:e3c]SSL state:before SSL initialization (XXX.XXX.XXX.XXX)
[392:root:e3c]got SNI server name: vpn.xxxx.xxx realm (null)
[392:root:e3c]client cert requirement: no
[392:root:e3c]SSL state:fatal handshake failure (XXX.XXX.XXX.XXX)
[392:root:e3c]SSL state:error:(null)(XXX.XXX.XXX.XXX)
[392:root:e3c]SSL_accept failed, 1:no shared cipher
[392:root:e3c]Destroy sconn 0x7f9b3f436800, connSize=1. (root)
[393:root:e3c]allocSSLConn:312 sconn 0x7f9b3f50e000 (0:root)
[393:root:e3c]SSL state:before SSL initialization (XXX.XXX.XXX.XXX)
[393:root:e3c]SSL state:before SSL initialization (XXX.XXX.XXX.XXX)
[393:root:e3c]got SNI server name: vpn.xxxx.xxx realm (null)
[393:root:e3c]client cert requirement: no
[393:root:e3c]SSL state:fatal handshake failure (XXX.XXX.XXX.XXX)
[393:root:e3c]SSL state:error:(null)(XXX.XXX.XXX.XXX)
[393:root:e3c]SSL_accept failed, 1:no shared cipher
[393:root:e3c]Destroy sconn 0x7f9b3f50e000, connSize=1. (root)
the fnbamd -1 debug has a lot of data in that doesn't seem to pertain to just this connection. I'm attempting to parse so it's just the pertinent info.
-Mike
I honestly can't read the debug for fnbamd so here is the output with about 10 lines before the sslvpn debug and about 30 lines afterwards. again, IPs and domain names are masked with Xs
[201] fnbamd_cert_load_certs_from_req-2 cert(s) in req.
[839] __cert_init-req_id=2164857489406
[888] __cert_build_chain-req_id=2164857489406
[319] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[337] fnbamd_chain_build-Following depth 0
[366] fnbamd_chain_build-Extend chain by system trust store. (no luck)
[420] fnbamd_chain_build-Extend chain by peer-provided certs. (good)
[337] fnbamd_chain_build-Following depth 1
[372] fnbamd_chain_build-Extend chain by system trust store. (good: 'DigiCert_Global_Root_G2')
[337] fnbamd_chain_build-Following depth 2
[351] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[1010] __cert_verify-req_id=2164857489406
[1011] __cert_verify-Chain is complete.
[536] fnbamd_cert_verify-Chain number:3
[550] fnbamd_cert_verify-Following cert chain depth 0
[550] fnbamd_cert_verify-Following cert chain depth 1
[625] fnbamd_cert_verify-Issuer found: DigiCert_Global_Root_G2 (SSL_DPI opt 1)
[550] fnbamd_cert_verify-Following cert chain depth 2
[687] fnbamd_cert_check_group_list-group list is empty, match any!
[198] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[1051] __cert_verify_do_next-req_id=2164857489406
[99] __cert_chg_st- 'Validation' -> 'Done'
[1098] __cert_done-req_id=2164857489406
[1523] fnbamd_auth_session_done-Session done, id=2164857489406
[1144] __fnbamd_cert_auth_run-Exit, req_id=2164857489406
[1566] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=2164857489406
[1479] auth_cert_success-id=2164857489406
[1256] fnbamd_cert_auth_copy_cert_status-req_id=2164857489406
[1295] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1312] fnbamd_cert_auth_copy_cert_status-Issuer of cert depth 0 is not detected in CMDB.
[1383] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=2164857489406
[239] fnbamd_comm_send_result-Sending result 0 (nid 673) for req 2164857489406, len=2592
[1354] destroy_auth_cert_session-id=2164857489406
[1228] fnbamd_cert_auth_uninit-req_id=2164857489406
[1830] fnbamd_ldaps_destroy-
[1263] fnbamd_rads_destroy-
[395:root:e3c]allocSSLConn:312 sconn 0x7f9b3e800800 (0:root)
[395:root:e3c]SSL state:before SSL initialization (xxx.xxx.xxx)
[395:root:e3c]SSL state:fatal decode error (xxx.xxx.xxx)
[395:root:e3c]SSL state:error:(null)(xxx.xxx.xxx)
[395:root:e3c]SSL_accept failed, 1:unexpected eof while reading
[395:root:e3c]Destroy sconn 0x7f9b3e800800, connSize=1. (root)
[396:root:e3c]allocSSLConn:312 sconn 0x7f9b3f454800 (0:root)
[396:root:e3c]SSL state:before SSL initialization (xxx.xxx.xxx)
[396:root:e3c]SSL state:before SSL initialization (xxx.xxx.xxx)
[396:root:e3c]got SNI server name: vpn.xxx.xxx realm (null)
[396:root:e3c]client cert requirement: no
[396:root:e3c]SSL state:fatal handshake failure (xxx.xxx.xxx)
[396:root:e3c]SSL state:error:(null)(xxx.xxx.xxx)
[396:root:e3c]SSL_accept failed, 1:no shared cipher
[396:root:e3c]Destroy sconn 0x7f9b3f454800, connSize=1. (root)
[397:root:e3c]allocSSLConn:312 sconn 0x7f9b3e7cb800 (0:root)
[397:root:e3c]SSL state:before SSL initialization (xxx.xxx.xxx)
[397:root:e3c]SSL state:before SSL initialization (xxx.xxx.xxx)
[397:root:e3c]got SNI server name: vpn.xxx.xxx realm (null)
[397:root:e3c]client cert requirement: no
[397:root:e3c]SSL state:fatal handshake failure (xxx.xxx.xxx)
[397:root:e3c]SSL state:error:(null)(xxx.xxx.xxx)
[397:root:e3c]SSL_accept failed, 1:no shared cipher
[397:root:e3c]Destroy sconn 0x7f9b3e7cb800, connSize=2. (root)
[398:root:e3c]allocSSLConn:312 sconn 0x7f9b3e832000 (0:root)
[398:root:e3c]SSL state:before SSL initialization (xxx.xxx.xxx)
[398:root:e3c]SSL state:before SSL initialization (xxx.xxx.xxx)
[398:root:e3c]got SNI server name: vpn.xxx.xxx realm (null)
[398:root:e3c]client cert requirement: no
[398:root:e3c]SSL state:fatal handshake failure (xxx.xxx.xxx)
[398:root:e3c]SSL state:error:(null)(xxx.xxx.xxx)
[398:root:e3c]SSL_accept failed, 1:no shared cipher
[398:root:e3c]Destroy sconn 0x7f9b3e832000, connSize=0. (root)
[2369] handle_req-Rcvd auth_cert req id=2182037149330, len=3730, opt=0
[1161] __cert_auth_ctx_init-req_id=2182037149330, opt=0
[103] __cert_chg_st- 'Init'
[201] fnbamd_cert_load_certs_from_req-2 cert(s) in req.
[839] __cert_init-req_id=2182037149330
[888] __cert_build_chain-req_id=2182037149330
[319] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[337] fnbamd_chain_build-Following depth 0
[366] fnbamd_chain_build-Extend chain by system trust store. (no luck)
[420] fnbamd_chain_build-Extend chain by peer-provided certs. (good)
[337] fnbamd_chain_build-Following depth 1
[372] fnbamd_chain_build-Extend chain by system trust store. (good: 'ISRG_Root_X1')
[337] fnbamd_chain_build-Following depth 2
[351] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[1010] __cert_verify-req_id=2182037149330
[1011] __cert_verify-Chain is complete.
[536] fnbamd_cert_verify-Chain number:3
[550] fnbamd_cert_verify-Following cert chain depth 0
[550] fnbamd_cert_verify-Following cert chain depth 1
[625] fnbamd_cert_verify-Issuer found: ISRG_Root_X1 (SSL_DPI opt 1)
[550] fnbamd_cert_verify-Following cert chain depth 2
[687] fnbamd_cert_check_group_list-group list is empty, match any!
[198] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[1051] __cert_verify_do_next-req_id=2182037149330
[99] __cert_chg_st- 'Validation' -> 'Done'
[1098] __cert_done-req_id=2182037149330
[1523] fnbamd_auth_session_done-Session done, id=2182037149330
[1144] __fnbamd_cert_auth_run-Exit, req_id=2182037149330
[1566] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=2182037149330
[1479] auth_cert_success-id=2182037149330
[1256] fnbamd_cert_auth_copy_cert_status-req_id=2182037149330
[1295] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1312] fnbamd_cert_auth_copy_cert_status-Issuer of cert depth 0 is not detected in CMDB.
[1383] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=2182037149330
[239] fnbamd_comm_send_result-Sending result 0 (nid 672) for req 2182037149330, len=2592
[1354] destroy_auth_cert_session-id=2182037149330
[1228] fnbamd_cert_auth_uninit-req_id=2182037149330
[1830] fnbamd_ldaps_destroy-
[1263] fnbamd_rads_destroy-
[2369] handle_req-Rcvd auth_cert req id=2182037149331, len=6090, opt=0
[1161] __cert_auth_ctx_init-req_id=2182037149331, opt=0
[103] __cert_chg_st- 'Init'
[201] fnbamd_cert_load_certs_from_req-4 cert(s) in req.
[839] __cert_init-req_id=2182037149331
[888] __cert_build_chain-req_id=2182037149331
[319] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[337] fnbamd_chain_build-Following depth 0
[366] fnbamd_chain_build-Extend chain by system trust store. (no luck)
[420] fnbamd_chain_build-Extend chain by peer-provided certs. (good)
[337] fnbamd_chain_build-Following depth 1
[372] fnbamd_chain_build-Extend chain by system trust store. (good: 'Amazon_Root_CA_1')
[337] fnbamd_chain_build-Following depth 2
[351] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[1010] __cert_verify-req_id=2182037149331
[1011] __cert_verify-Chain is complete.
[536] fnbamd_cert_verify-Chain number:3
[550] fnbamd_cert_verify-Following cert chain depth 0
[550] fnbamd_cert_verify-Following cert chain depth 1
[625] fnbamd_cert_verify-Issuer found: Amazon_Root_CA_1 (SSL_DPI opt 1)
[550] fnbamd_cert_verify-Following cert chain depth 2
[687] fnbamd_cert_check_group_list-group list is empty, match any!
[198] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[1051] __cert_verify_do_next-req_id=2182037149331
[99] __cert_chg_st- 'Validation' -> 'Done'
[1098] __cert_done-req_id=2182037149331
[1523] fnbamd_auth_session_done-Session done, id=2182037149331
[1144] __fnbamd_cert_auth_run-Exit, req_id=2182037149331
[1566] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=2182037149331
[1479] auth_cert_success-id=2182037149331
[1256] fnbamd_cert_auth_copy_cert_status-req_id=2182037149331
[1295] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1312] fnbamd_cert_auth_copy_cert_status-Issuer of cert depth 0 is not detected in CMDB.
[1383] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=2182037149331
[239] fnbamd_comm_send_result-Sending result 0 (nid 672) for req 2182037149331, len=2592
[1354] destroy_auth_cert_session-id=2182037149331
[1228] fnbamd_cert_auth_uninit-req_id=2182037149331
[1830] fnbamd_ldaps_destroy-
[1263] fnbamd_rads_destroy-
[2369] handle_req-Rcvd auth_cert req id=2182037149332, len=6787, opt=0
[1161] __cert_auth_ctx_init-req_id=2182037149332, opt=0
[103] __cert_chg_st- 'Init'
[201] fnbamd_cert_load_certs_from_req-4 cert(s) in req.
[839] __cert_init-req_id=2182037149332
[888] __cert_build_chain-req_id=2182037149332
[319] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[337] fnbamd_chain_build-Following depth 0
[366] fnbamd_chain_build-Extend chain by system trust store. (no luck)
[420] fnbamd_chain_build-Extend chain by peer-provided certs. (good)
[337] fnbamd_chain_build-Following depth 1
[372] fnbamd_chain_build-Extend chain by system trust store. (good: 'USERTrust_RSA_Certification_Authority')
-Mike
Hello @mike
Could you please verify if you have configured a local-in policy on the SSLVPN service? If so, is virtual patching enabled within that local-in policy?
Document Referred: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Client-Certificate-SSL-VPN-authentic...
Thanks,
Amandeep
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.