Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Morrison_Frank
New Contributor

Forticlient VPN connect issue

I used VPN-only version of FortiClient 7.0.10 to dial SSO mode sslvpn.

I have noticed that VPN dialing has been fluctuating recently. SSL VPN fails at 40% or 70% with the error: "The server you are connecting to is requesting authentication. Please select a certificate and try again (-6005).

But sometimes it can connect VPN suceesfully after a while. I provided some logs hope to find the reason.

 

2023-11-28 13:45:48 [httpsd 13683 - 1701150348 critical] fweb_error_log[252] -- AH01991: SSL input filter read failed.
2023-11-28 13:45:51 [httpsd 13685 - 1701150351 critical] fweb_error_log[252] -- AH01964: Connection to child 6 established (server Fortigate:1443)
2023-11-28 13:45:51 [httpsd 13685 - 1701150351 critical] fweb_error_log[252] -- AH02008: SSL library error 1 in handshake (server Fortigate:1443)
2023-11-28 13:45:51 [httpsd 13685 - 1701150351 critical] fweb_error_log[252] -- SSL Library Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown (SSL alert number 46)

2023-11-28 13:48:41 [269:root:21f8]deconstruct_session_id:430 decode session id ok, user=[ray_zheng@mxxxxxx.com],group=[sha_fortivpn1],authserver=[sha_azure_s
aml],portal=[tunnel-access],host=[222.190.xxx.xxx],realm=[], csrf_token=[94B7212D84E1FAE406655D57B11F661],idx=20,auth=256,sid=2f500aae,login=1701150521,access=1701150
521,saml_logout_url=no
2023-11-28 13:48:41 [268:root:21f5]sslvpn_read_request_common,663, ret=-1 error=-1, sconn=0x7fb0970800.
2023-11-28 13:48:41 [268:root:21f5]Destroy sconn 0x7fb0970800, connSize=1. (root)
2023-11-28 13:48:41 [270:root:21f8]allocSSLConn:298 sconn 0x7fb161f600 (0:root)
2023-11-28 13:48:41 [270:root:21f8]SSL state:before SSL initialization (222.190.xxx.xxx)
2023-11-28 13:48:41 [270:root:21f8]SSL state:before SSL initialization (2222.190.xxx.xxx)
2023-11-28 13:48:41 [270:root:21f8]got SNI server name: vpn.mxxxxxx.com realm (null)
2023-11-28 13:48:41 [270:root:21f8]client cert requirement: no
2023-11-28 13:48:41 [270:root:21f8]SSL state:SSLv3/TLS read client hello (222.190.xxx.xxx)
2023-11-28 13:48:41 [270:root:21f8]SSL state:SSLv3/TLS write server hello (222.190.xxx.xxx)
2023-11-28 13:48:41 [270:root:21f8]SSL state:SSLv3/TLS write certificate (222.190.xxx.xxx)
2023-11-28 13:48:41 [270:root:21f8]SSL state:SSLv3/TLS write key exchange (222.190.xxx.xxx)
2023-11-28 13:48:41 [270:root:21f8]SSL state:SSLv3/TLS write server done (222.190.xxx.xxx)
2023-11-28 13:48:41 [270:root:21f8]SSL state:SSLv3/TLS write server done:system lib(222.190.xxx.xxx)
2023-11-28 13:48:41 [270:root:21f8]SSL state:SSLv3/TLS write server done:DH lib(222.190.xxx.xxx)
2023-11-28 13:48:41 [270:root:21f8]SSL_accept failed, 5:(null)
2023-11-28 13:48:41 [270:root:21f8]Destroy sconn 0x7fb161f600, connSize=0. (root)

3 REPLIES 3
hbac
Staff
Staff

Hi @Morrison_Frank,

 

What is the firmware version of FortiGate? Have you tried different versions of FortiClient? Please check the FortiClient debug  logs: https://community.fortinet.com/t5/FortiClient/Technical-Tip-How-to-enable-debug-log-in-FortiClient/t...

 

Regards, 

Morrison_Frank

Hi hbac

My FGT101F firmware is 6.4.14. I download forticlient 7.0.8; 7.0.9, 7.0.10,but the problem is the same. I found some logs from user forticlient:

 

[2023-11-28 13:46:51.9734542 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: CSslvpnBase::BaseInit is called

[2023-11-28 13:46:53.9814689 UTC+08:00] [11504:21880] [sslvpnlib 517 debug] FortiSslvpn: SslvpnAgent: Closed pipe instance

[2023-11-28 13:46:53.9833431 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: OnConnect is called, strConnection:SHA Azure VPN, strUsername:, strServerAddress:https://vpn.moxxxxxx.cn:10443, strCertificate:, bRedundantMode:0, bMuteErrorDlgs:0

[2023-11-28 13:46:53.9834505 UTC+08:00] [11504:21880] [sslvpnlib 517 debug] FortiSslvpn: proxy flag: 1 proxy:(null)

[2023-11-28 13:46:53.9838072 UTC+08:00] [11504:21880] [sslvpnlib 517 debug] FortiSslvpn: CSvlauncherDlg::OnConnect(): Before check server TCP port. ***********************

[2023-11-28 13:46:54.1026649 UTC+08:00] [11504:21880] [sslvpnlib 517 debug] FortiSslvpn: CSvlauncherDlg::InitFortiSslvpn() Called.

[2023-11-28 13:46:54.1030540 UTC+08:00] [11504:21880] [sslvpnlib 517 debug] FortiSslvpn: CSvlauncherDlg::InitFortiSslvpn(): Daemon is running

[2023-11-28 13:46:54.1030582 UTC+08:00] [11504:21880] [sslvpnlib 517 debug] FortiSslvpn: SslvpnAgent: before connect pipe

[2023-11-28 13:46:54.1030609 UTC+08:00] [11504:21880] [sslvpnlib 517 debug] FortiSslvpn: SslvpnAgent: before create file

[2023-11-28 13:46:54.1030797 UTC+08:00] [11504:21880] [sslvpnlib 517 debug] FortiSslvpn: SslvpnAgent: ActiveX connected to SslvpnDaemon

[2023-11-28 13:46:54.1030860 UTC+08:00] [11504:21880] [sslvpnlib 517 debug] FortiSslvpn: CSvlauncherDlg::InitFortiSslvpn(): SslvpnAgent initialized successfully

[2023-11-28 13:46:54.1111997 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: >>>>DoConnect(vpn.morrisonexpress.cn:10443) ...

[2023-11-28 13:46:54.1112279 UTC+08:00] [11504:21880] [sslvpnlib 517 debug] FortiSslvpn: CSvlauncherDlg::InitFortiSslvpn() Called.

[2023-11-28 13:46:54.1112338 UTC+08:00] [11504:21880] [sslvpnlib 517 debug] FortiSslvpn: CSvlauncherDlg::InitFortiSslvpn(): FortiSslvpn has been initialized, return TRUE

[2023-11-28 13:46:54.5645131 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: /remote/info result from GUI, ======

[2023-11-28 13:46:54.5645209 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: <?xml version='1.0' encoding='utf-8'?><info><api encmethod='0' salt='0436f6a1' remoteauthtimeout='150' f='df' /></info>
[2023-11-28 13:46:54.5645244 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn:
======

[2023-11-28 13:46:54.5645528 UTC+08:00] [11504:21880] [sslvpnlib 517 debug] FortiSslvpn: RemoteAuthTimeout=150 in /remote/info

[2023-11-28 13:46:54.7098141 UTC+08:00] [11504:21880] [sslvpnlib 517 debug] FortiSslvpn: Request /remote/saml/login has been sent successfully

[2023-11-28 13:46:54.7101181 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: Response from request /remote/saml/login

[2023-11-28 13:46:54.7101222 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: ======

[2023-11-28 13:46:54.7101249 UTC+08:00] [11504:21880] [sslvpnlib 517 debug] FortiSslvpn: <html><head>
<script language='javascript'>
document.location='/sslvpn/portal.html';
</script>
</head></html>

[2023-11-28 13:46:54.7101275 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: ======

[2023-11-28 13:46:54.7103145 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: HttpSendRequest(): URL=/remote/logincheck, POST=username=&credential=&just_logged_in=1&redir=0.000000remote0.000000index&ajax=1 -->

[2023-11-28 13:46:54.7103607 UTC+08:00] [11504:21880] [sslvpnlib 517 debug] FortiSslvpn: HttpSendRequest(): bRC=1, Retry=0, ResultPage=
======

[2023-11-28 13:46:54.7106395 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: <html><head>
<script language='javascript'>
document.location='/sslvpn/portal.html';
</script>
</head></html>

[2023-11-28 13:46:54.7106436 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn:
======


[2023-11-28 13:46:54.7107056 UTC+08:00] [11504:21880] [sslvpnlib 517 debug] FortiSslvpn: Cookies length:1312

[2023-11-28 13:46:54.7107290 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: Before GetUsernameForSAMLAuth, m_dwVPNType=1

[2023-11-28 13:46:54.7107327 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn:

[2023-11-28 13:46:54.7107374 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: GetWebPage(): URL=/remote/portal -->

[2023-11-28 13:46:54.7107788 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: CSslvpnBase::Add_EMS_SN_Header:1371 FGT Does not need EMS SN

[2023-11-28 13:46:54.7891680 UTC+08:00] [11504:21880] [sslvpnlib 517 debug] FortiSslvpn: HTTP_QUERY_STATUS_CODE: 200

[2023-11-28 13:46:54.7891921 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: ======

[2023-11-28 13:46:54.7891999 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: { "headerTemplate": "<div class=\"fortinet-grid-icon\">\n <f-icon class=\"ftnt-fortinet-grid icon-xl\"><\/f-icon>\n<\/div>\n<div class=\"platform\">\n {STATUS_INFO}\n<\/div>\n\n<div class=\"expand\">\n {EXPAND}\n<\/div>\n\n{OPTIONS}\n\r\n", "user": "ray_zheng@moxxxxxx.com", "group": "sha_fortivpn1", "session_index": 17, "fgt_realm": "", "s_addr": "3935282868", "fgt_sslvpn_var1": [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ], "fgt_sslvpn_var2": [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ], "fgt_sslvpn_var3": false, "fgt_sslvpn_sid": "29fa634b", "fgt_sslvpn_csrf": "AD15282FEC3B27864BC73FDE646A280", "idle-timeout": 0, "help": "http:\/\/docs.fortinet.com\/document\/fortigate\/6.4.14\/cookbook?cshid=ssl_vpn_portal", "is_msie": false, "is_mswin": true, "is_firefox": false, "date_format": "yyyy\/MM\/dd", "auth-timeout": 28800000, "system_lang": "en", "show_custom_lang": false, "name": "", "custom-lang": "", "bookmarks": [ ] }
[2023-11-28 13:46:54.7892055 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn:
======

[2023-11-28 13:46:54.7892104 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: GetWebPage(): bRC=1,CT=(application/json), length=959


[2023-11-28 13:46:54.7892175 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: SAML auth username:ray_zheng@morrisonexpress.com

[2023-11-28 13:46:54.7892209 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn:

[2023-11-28 13:46:54.7892240 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: GetWebPage(): URL=/remote/portal -->

[2023-11-28 13:46:54.7892733 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: CSslvpnBase::Add_EMS_SN_Header:1371 FGT Does not need EMS SN

[2023-11-28 13:46:54.8323021 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: HttpSendRequest(): bRC=0, URL=/remote/portal, Retry=0, LastError=12157

[2023-11-28 13:46:54.8324194 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: ======

[2023-11-28 13:46:54.8324222 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn:
[2023-11-28 13:46:54.8324247 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn:
======

[2023-11-28 13:46:54.8324291 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: GetWebPage(): bRC=0,CT=(), length=0


[2023-11-28 13:46:54.8324374 UTC+08:00] [11504:21880] [sslvpnlib 517 debug] FortiSslvpn: <<<<DoConnect(): bRC=0, ErrorCode=-6007

[2023-11-28 13:47:08.1674773 UTC+08:00] [11504:21880] [sslvpnlib 517 debug] FortiSslvpn: <<<<DoConnect(), ConnectFail: ErrorCode=-26007

Morrison_Frank

Hi hbac

My FGT101F firmware is 6.4.14. I try to use Forticlient7.0.8-7.010,but the problem is the same. I found some log from user client:

[2023-11-28 13:46:54.7892175 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: SAML auth username:ray_zheng@moxxxxxx.com

[2023-11-28 13:46:54.7892209 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn:

[2023-11-28 13:46:54.7892240 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: GetWebPage(): URL=/remote/portal -->

[2023-11-28 13:46:54.7892733 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: CSslvpnBase::Add_EMS_SN_Header:1371 FGT Does not need EMS SN

[2023-11-28 13:46:54.8323021 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: HttpSendRequest(): bRC=0, URL=/remote/portal, Retry=0, LastError=12157

[2023-11-28 13:46:54.8324194 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: ======

[2023-11-28 13:46:54.8324222 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn:
[2023-11-28 13:46:54.8324247 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn:
======

[2023-11-28 13:46:54.8324291 UTC+08:00] [11504:21880] [sslvpnlib 574 debug] FortiSslvpn: GetWebPage(): bRC=0,CT=(), length=0


[2023-11-28 13:46:54.8324374 UTC+08:00] [11504:21880] [sslvpnlib 517 debug] FortiSslvpn: <<<<DoConnect(): bRC=0, ErrorCode=-6007

[2023-11-28 13:47:08.1674773 UTC+08:00] [11504:21880] [sslvpnlib 517 debug] FortiSslvpn: <<<<DoConnect(), ConnectFail: ErrorCode=-26007

 

Top Kudoed Authors