Hi,
I created two different PKI users in a Fortigate 60E firewall. Both users are in the same group.
I want to connect to the LAN using Forticlient VPN 6.0 with a SSL-VPN tunnel.
The first user connects correctly.
The second one gives me an error (attached #1).
The error is clear, you can't reach the vpn-server?
Do any of the following
diag debug reset
diag debug enable
diag debug app sslvpnd -1
( have the user start. the client, does he/she make it to the fortigate? Does debug show the user ? )
or
diag sniffer packet <interface name > 'host x.x.x.x "
Where x.x.x.x is the user having problems. Do you see his/her ipv4 address making it to the fortigate sslvpn ip?
is the certificate good? not expired ? user has access to the certificate and key ? Is the CERT signed by the expected CA that you have in the peer-group ?
You have a lot of diagnostics to do from the customer end of things.
Ken Felix
PCNSE
NSE
StrongSwan
I solved it!
I eventually realized that when creating user certificate, its common name must be equal to firewall PKI user subject.
When I did this, everything started working fine.
Please consider the following log trace that I receive when trying to connect with not-functional user:
https://drive.google.com/file/d/1Z5N3NtbDQ5Ef0bqzbn-kujqtGWy2J6Q8/view?usp=sharing
| User | Count |
|---|---|
| 2240 | |
| 1216 | |
| 770 | |
| 451 | |
| 365 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.
