Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MontanaMike
Contributor

Forticlient VPN Won't Connect

Good morning,

 

We have an issue that showed up this week (Tuesday) with two users VPN'ing from home.  They are getting a "The server want to connect to requests identification, please choose a certificate and try again. [-5]" error.  Interesting thing is that I don't require nor have we set up client certs for SSL VPN and it's only 2 users out of about 15 right now that are getting the error.  We are running a mix of Forticlient versions (6.0.9, 6.0.10 and some 7.2 versions) and don't have a support contract on the clients.  Another interesting thing is if we uninstall and remove it completely from their PCs  (Windows 10 and 11 are the two OS's) and install a new version as a test, it gets the same error.  Also...using a different Windows profile fails as well.


I found this article and followed the instructions and it's still not working: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-solve-The-server-you-want-to-connec...

 

I also found a few threads on Reddit that suggested an Adobe update could mess up the cert store but that seems to be a dead end.  Again...we don't require client certificates for SSL VPN auth.

Note:  No changes were made to the Fortigate so I don't think that's it.  Plus the other 1o-13 users aren't having any issues,

I'd appreciate any suggestions or at the very least, find others having the issue too.  Again...this just cropped up on Tuesday September 3rd.image.png

-Mike

-Mike
16 REPLIES 16
MontanaMike

as my OP stated, VPN is been working normally (for years) and all other users, except the two affected, are not having any issues.

-Mike

-Mike
MontanaMike

fyi.  no virtual patching is enabled.  Actually..no settings are.

FW_1 (local-in-policy) # show full-configuration
config firewall local-in-policy
end

FW_1 (local-in-policy) #

-Mike

-Mike
MontanaMike
Contributor

To make this even odder, we had the 2 remote staff bring their machines in so we could uninstall in safe mode.

One we did and then reinstalled and the issue persisted.  On a whim, my Helpdesk guy removed the PC from the AD domain and tested VPN and it worked normally.  Then he added it back to the AD domain and it continued to work.

The second one all he did was remove the PC from the AD domain and tested the VPN client as is and it worked normally.  Then added the PC back to the domain and VPN continued to work.

I'm not sure why it would matter unless some kind of GP is preventing it from connecting but then why would it work prior to all these issues as well as after rejoining the domain?

-Mike

-Mike
Zekeout
New Contributor II

We are seeing the exact same issue on some workstations after upgrading from 7.2.3 to 7.2.4

 

https://community.fortinet.com/t5/Support-Forum/Forticlient-7-2-4-trying-to-use-certificates-when-no...

 

Updating to 7.2.5 appears to have fixed the problem for us

MontanaMike

That's good to know.  I'm going to apply the 7.2.5 firmware in the near future and will report back here.

-Mike

-Mike
arahman
Staff
Staff

also based on the output debugs you have shared and seeing SSL_accept failed, 1:no shared cipher

 for error like this the article below is worth checking 

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-no-shared-cipher-error-in-an-SSL-VPN...

Shashwati
Staff
Staff

Hello

Please  run the packet capture command on Firewall 

diagnose sniffer packet any 'host X.X.X.X'  6 0 l     [User's IP address]

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors