Recently we implemented a 60F on 7.4.1 at a datacenter and tested Forticlient authentication via SSO for a client. It was working fine for multiple users including myself. Then over the weekend some but not all users have been getting disconnected or cannot connect at first and require a restart of FCT or reboot of their computer. They are getting various errors but mostly 6005, 6006, and 7200 depending on if they're connecting for the first time since FCT has started up or if they're reconnecting after being disconnected. I also have the issue on my computer even thought it was working before and now I can't even connect to my own company's Fortigate via SSO. I think this is a Windows issue and of course TAC has not been very helpful with solutions because it is the free version and its best effort support. I have seen this issue on 7.0.10, 7.2.2, and 7.2.3 (latest). We have done many packet captures on both the workstation and Fortigate, debugs on the Fortigate, and looked through the even logs. From what I can tell my machine is not successful in the TLS handshake as we see the TCP portion completing. Has anyone else dealt with this issue?
Hello,
Thank you for reaching out on this forum. Is the forticlient failing to connect at specific percentage - i.e. at 40% - and have any changes been applied recently on the firewall itself relevant to the sslvpn configuration like enabling split tunneling, dtls, changing isp, outages, etc. The following is an article that advised in general what to troubleshoot or focus on when the vpn connection fails at different stages:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Possible-reasons-for-FortiClient-SSL...
The client fails at 40% and we have tried to enable/disable different TLS versions on the workstation. We have also played with the banned ciphers on the Fortigate config.
Hello @bigboss62
You try to change the ssl minimum and maximum version values in "config vpn ssl setting"
regards,
Sheikh
We tried this as well by enabling all TLS versions and setting the banned cipher to only ARIA since support and I could not get the banned ciphers to be empty. Here is a portion of our config currently:
set reqclientcert disable
set ssl-max-proto-ver tls1-3
set ssl-min-proto-ver tls1-2
set banned-cipher ARIA
set ciphersuite TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
set ssl-insert-empty-fragment enable
It feels as though something is wrong on our workstations not initiating the TLS handshake.
We tried this as well by enabling all TLS versions and setting the banned cipher to only ARIA since support and I could not get the banned ciphers to be empty. Here is a portion of our config currently:
set reqclientcert disable
set ssl-max-proto-ver tls1-3
set ssl-min-proto-ver tls1-2
set banned-cipher ARIA
set ciphersuite TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
set ssl-insert-empty-fragment enable
It feels as though something is wrong on our workstations not initiating the TLS handshake.
Hi @bigboss62,
What is the OS of client? Can you try to export log from client and see if there may be any internal error?
We're working with Windows 10
Hi @bigboss62,
can you please try to export client logs from those machines?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.