Good morning,
We have an issue that showed up this week (Tuesday) with two users VPN'ing from home. They are getting a "The server want to connect to requests identification, please choose a certificate and try again. [-5]" error. Interesting thing is that I don't require nor have we set up client certs for SSL VPN and it's only 2 users out of about 15 right now that are getting the error. We are running a mix of Forticlient versions (6.0.9, 6.0.10 and some 7.2 versions) and don't have a support contract on the clients. Another interesting thing is if we uninstall and remove it completely from their PCs (Windows 10 and 11 are the two OS's) and install a new version as a test, it gets the same error. Also...using a different Windows profile fails as well.
I found this article and followed the instructions and it's still not working: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-solve-The-server-you-want-to-connec...
I also found a few threads on Reddit that suggested an Adobe update could mess up the cert store but that seems to be a dead end. Again...we don't require client certificates for SSL VPN auth.
Note: No changes were made to the Fortigate so I don't think that's it. Plus the other 1o-13 users aren't having any issues,
I'd appreciate any suggestions or at the very least, find others having the issue too. Again...this just cropped up on Tuesday September 3rd.
-Mike
as my OP stated, VPN is been working normally (for years) and all other users, except the two affected, are not having any issues.
-Mike
fyi. no virtual patching is enabled. Actually..no settings are.
FW_1 (local-in-policy) # show full-configuration
config firewall local-in-policy
end
FW_1 (local-in-policy) #
-Mike
To make this even odder, we had the 2 remote staff bring their machines in so we could uninstall in safe mode.
One we did and then reinstalled and the issue persisted. On a whim, my Helpdesk guy removed the PC from the AD domain and tested VPN and it worked normally. Then he added it back to the AD domain and it continued to work.
The second one all he did was remove the PC from the AD domain and tested the VPN client as is and it worked normally. Then added the PC back to the domain and VPN continued to work.
I'm not sure why it would matter unless some kind of GP is preventing it from connecting but then why would it work prior to all these issues as well as after rejoining the domain?
-Mike
We are seeing the exact same issue on some workstations after upgrading from 7.2.3 to 7.2.4
Updating to 7.2.5 appears to have fixed the problem for us
That's good to know. I'm going to apply the 7.2.5 firmware in the near future and will report back here.
-Mike
also based on the output debugs you have shared and seeing SSL_accept failed, 1:no shared cipher
for error like this the article below is worth checking
Hello
Please run the packet capture command on Firewall
diagnose sniffer packet any 'host X.X.X.X' 6 0 l [User's IP address]
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.