Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Roland_ITIG
New Contributor II

Created on ‎12-04-2024 03:07 AM

No "Server Certificate Warning" prompt with FortiClient VPN 7.4.1.1736 SSL-VPN

Hi,

 

We work with FortiClient VPN 7.4.0.1658 with one predefined SSL-VPN Gateway to an external Partner (User and Password, no Client Certificate, Port 18443) on Windows Server 2016 VMWare ESXi.

The connection is established after confirming the "Server Certificate Warning" for FGVM2VTM23001833 fortinet-subca2001.

 

After updating FortiClient VPN to 7.4.1.1736 the "Server Certificate Warning" is no longer prompting and no  connection possible.

 

On a reference client outside my company network it works.

Exporting the certificate there and importing it on the Server does'nt change.

After downgrading FortiClient VPN to the previous version on the Server the connection works fine again.

 

Any idea ? Thanks,

Roland

 

2024-11-27 10_10_51 Config.png

 

2024-11-27 10_10_52 - Certificate Security Alert.png

 

2024-11-27 10_10_53 - Certificate Security Alert.png

Labels:
411
0 Kudos
6 REPLIES 6
sjoshi
Staff
Staff

Created on ‎12-04-2024 04:23 AM

Hi,

 

Please share below logs while connecting the SSL VPN.

 

PuTTY SSH1:
------------

get vpn ssl monitor
diagnose vpn ssl list
diagnose firewall auth list
dia vpn ssl statistics
exec vpn sslvpn list
get system status
diag vpn ssl stat


PuTTY SSH2:
------------

diag sys flash list
diag debug reset
diagnose debug console timestamp en
diagnose vpn ssl debug-filter src-addr4 x.x.x.x - Here x.x.x.x is the public IP of the user connecting.
diag debug appl sslvpn -1
diag debug appl fn -1
diag debug enable

wait till the VPN disconnect, disable the logs by executing

diag debug disable
diag debug reset

Let us know if this helps.
Salon Raj Joshi
401
Roland_ITIG
New Contributor II
In response to sjoshi

Created on ‎12-06-2024 03:05 AM

Hi,

Thanks for your reply - The gateway is operated by our external partner and so i cannot debug the SSL VPN from my side.

 

Regarding to the known issues (SSL VPN) 7.4.1 versus 7.4.0 I think about testing another version.

https://docs.fortinet.com/document/forticlient/7.4.1/windows-release-notes/743101/existing-known-iss...

https://docs.fortinet.com/document/forticlient/7.4.0/windows-release-notes/743101/existing-known-iss...

 

Do you have a link from where to download for example "FortiClientVPNSetup_7.2.6.1076_x64.exe" ?

Roland

366
0 Kudos
funkylicious
SuperUser
SuperUser
In response to Roland_ITIG

Created on ‎12-06-2024 04:12 AM

try here 

"jack of all trades, master of none"
"jack of all trades, master of none"
356
Roland_ITIG
New Contributor II
In response to funkylicious

Created on ‎12-06-2024 08:15 AM

Yea, with this version "FortiClientVPNSetup_7.2.6.1076_x64.exe" the connection works again without configuring something special !

296
0 Kudos
pminarik
Staff
Staff

Created on ‎12-06-2024 04:42 AM

Have a look into the details of the certificate. It can only be trusted for the domains, or IPs, listed in its Subject Alternative Name extension (may or may not be present if you scroll down in the list of attributes). If the extension is not present, FortiClient will not be able to trust it at all.

 

The certificate requirements are the same as for browsers trusting websites.

 

The proper course of action is for the administrator of that FortiGate to use a valid public certificate for the domain that is used as the SSL-VPN's address. Anything else is bad practice and a potential security issue waiting to blow up.

[ corrections always welcome ]
352
Roland_ITIG
New Contributor II
In response to pminarik

Created on ‎12-06-2024 08:19 AM

Hi, thanks for the hint:

Using the gateway like in the screenshot the certificate has wrong data,

using an alternate gateway from my external partner returns correct certificate data.

I will report them

289
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.