Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bigboss62
New Contributor

Forticlient cannot connect

Recently we implemented a 60F on 7.4.1 at a datacenter and tested Forticlient authentication via SSO for a client. It was working fine for multiple users including myself. Then over the weekend some but not all users have been getting disconnected or cannot connect at first and require a restart of FCT or reboot of their computer. They are getting various errors but mostly 6005, 6006, and 7200 depending on if they're connecting for the first time since FCT has started up or if they're reconnecting after being disconnected. I also have the issue on my computer even thought it was working before and now I can't even connect to my own company's Fortigate via SSO. I think this is a Windows issue and of course TAC has not been very helpful with solutions because it is the free version and its best effort support. I have seen this issue on 7.0.10, 7.2.2, and 7.2.3 (latest). We have done many packet captures on both the workstation and Fortigate, debugs on the Fortigate, and looked through the even logs. From what I can tell my machine is not successful in the TLS handshake as we see the TCP portion completing. Has anyone else dealt with this issue? 

8 REPLIES 8
saleha
Staff
Staff

Hello,

Thank you for reaching out on this forum. Is the forticlient failing to connect at specific percentage - i.e. at 40% - and have any changes been applied recently on the firewall itself relevant to the sslvpn configuration like enabling split tunneling, dtls, changing isp, outages, etc. The following is an article that advised in general what to troubleshoot or focus on when the vpn connection fails at different stages:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Possible-reasons-for-FortiClient-SSL...

bigboss62

The client fails at 40% and we have tried to enable/disable different TLS versions on the workstation. We have also played with the banned ciphers on the Fortigate config. 

Sheikh
Staff
Staff

Hello @bigboss62 

 

You try to change the ssl minimum and maximum version values in "config vpn ssl setting"

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-control-the-SSL-version-and-cipher-...

 

regards,

 

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
bigboss62

We tried this as well by enabling all TLS versions and setting the banned cipher to only ARIA since support and I could not get the banned ciphers to be empty. Here is a portion of our config currently:
set reqclientcert disable
set ssl-max-proto-ver tls1-3
set ssl-min-proto-ver tls1-2
set banned-cipher ARIA
set ciphersuite TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
set ssl-insert-empty-fragment enable

It feels as though something is wrong on our workstations not initiating the TLS handshake. 

bigboss62
New Contributor

We tried this as well by enabling all TLS versions and setting the banned cipher to only ARIA since support and I could not get the banned ciphers to be empty. Here is a portion of our config currently:
set reqclientcert disable
set ssl-max-proto-ver tls1-3
set ssl-min-proto-ver tls1-2
set banned-cipher ARIA
set ciphersuite TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
set ssl-insert-empty-fragment enable

It feels as though something is wrong on our workstations not initiating the TLS handshake. 

mle2802
Staff
Staff

Hi @bigboss62,

What is the OS of client? Can you try to export log from client and see if there may be any internal error?

bigboss62

We're working with Windows 10

mle2802

Hi @bigboss62,

can you please try to export client logs from those machines?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors