Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jumia
New Contributor II

Created on ‎01-16-2024 07:25 AM

Fortigate as an SSL client not working

I tried to reach out to another #FortiGate through the SSL-VPN client connection but it's not established.

I ran a debug command on the SSL-VPN server to figure out the issue.
I received these logs:

2024-01-16 18:07:19 [260:root:19]allocSSLConn:310 sconn 0x7fab546000 (0:root)
2024-01-16 18:07:21 [260:root:19]SSL state:before SSL initialization (X.X.X.X)
2024-01-16 18:07:21 [260:root:19]SSL state:fatal decode error (X.X.X.X)
2024-01-16 18:07:21 [260:root:19]SSL state:error:(null)(X.X.X.X)
2024-01-16 18:07:21 [260:root:19]SSL_accept failed, 1:unexpected eof while reading
2024-01-16 18:07:21 [260:root:19]Destroy sconn 0x7fab546000, connSize=0. (root)

I used easy-rsa to create a server-client self-signed cert bundle to use for this purpose.

Another thing that I should mention is that whenever I am using "openfortivpn" package in Ubuntu or FortiClient VPN and addressing those self-signed certificate locations for the CA, server cert, and user key, the connection is established without any problem.

I wonder if you have any idea how to sort out this issue.



Labels:
4100
0 Kudos
1 Solution
jumia
New Contributor II

Created on ‎01-18-2024 06:02 AM

The problem matches a known problem in version 7.4.1 and has already been fixed in 7.4.2.
ID 933985 - FortiGate as SSL VPN client does not work on NP6 and NP6XLite devices.

The issue was resolved after upgrading the firewalls to v7.4.2.

View solution in original post

3999
5 REPLIES 5
AEK
SuperUser
SuperUser

Created on ‎01-16-2024 09:56 AM

In case the 2 FGTs are different in versions, it is probably due to SSL/TLS negotiation. If this is the case, it may be resolved by aligning SSL versions on both ends, or by updating the lowest FGT.

AEK
AEK
4073
0 Kudos
jumia
New Contributor II

Created on ‎01-16-2024 10:15 AM

@AEK Thanks for the reply.
That wouldn't be the case since both firewalls are in the same version (v7.4.1).
In both firewalls minimum TLS version is 1.2 and the maximum is 1.3.

The same certificate bundle is also uploaded on both. 

 

4070
0 Kudos
hbac
Staff
Staff
In response to jumia

Created on ‎01-17-2024 07:23 AM

Hi @jumia,

 

Is there any firewalls in between which is doing certificate inspection/deep inspection? 

 

Regards, 

4031
0 Kudos
jumia
New Contributor II
In response to hbac

Created on ‎01-17-2024 07:26 AM

@hbac 
No, there isn't any firewall in between.

4028
0 Kudos
jumia
New Contributor II

Created on ‎01-18-2024 06:02 AM

The problem matches a known problem in version 7.4.1 and has already been fixed in 7.4.2.
ID 933985 - FortiGate as SSL VPN client does not work on NP6 and NP6XLite devices.

The issue was resolved after upgrading the firewalls to v7.4.2.

4000
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.