Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Donglv_
New Contributor III

[SOLVED] Forticlient VPN SSL Stops at 40%

I'm using FortiGate 7.0.6, setting up the ospf and the telnet vpn-ip: 9043 is work. (Reached)

The FortiClient VPN try to connect but still stuck at 40%. It's saying the identity certificate is not trust.
Anyone know what's the problem here?

Screenshot 2023-03-20 160237.png

13 REPLIES 13
srajeswaran
Staff
Staff

Please check this.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiClient-SSL-VPN-connection-status-gets...

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Donglv_
New Contributor III

Thanks, I have alrady read this post but in my case there is no warning to click "yes"

 

srajeswaran

Can you collect SSLVPN debug

diagnose debug application sslvpn -1

diagnose debug enable

 

https://community.fortinet.com/t5/Support-Forum/SSL-VPN-Upgrade-from-FortiClient-7-0-5-to-7-0-6-SSL-...

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Donglv_
New Contributor III

Hi @srajeswaran, This is SSLVPN Debuglog - The connection hang at 40%.

*I'm run telnet to VPNServer :9043 (SSL Port) Success.
So do you Know what's wrong with these logs?

Screenshot 2023-03-23 153159.png

SOSC # diagnose debug application sslvpn -1
Debug messages will be on for 30 minutes.
SOSC # diagnose debug enable
SOSC # [1590:root:2c]allocSSLConn:307 sconn 0x7f5c53f56c00 (0:root)
[1590:root:2c]SSL state:before SSL initialization (x.x.x.246)
[1590:root:2c]SSL state:before SSL initialization:DH lib(x.x.x.246)
[1590:root:2c]SSL_accept failed, 5:(null)
[1590:root:2c]Destroy sconn 0x7f5c53f56c00, connSize=0. (root)
[1590:root:2d]allocSSLConn:307 sconn 0x7f5c53f56c00 (0:root)
[1590:root:2d]SSL state:before SSL initialization (x.x.x.246)
[1590:root:2d]SSL state:before SSL initialization (x.x.x.246)
[1590:root:2d]no SNI received
[1590:root:2d]client cert requirement: no
[1590:root:2d]SSL state:SSLv3/TLS read client hello (x.x.x.246)
[1590:root:2d]SSL state:SSLv3/TLS write server hello (x.x.x.246)
[1590:root:2d]SSL state:SSLv3/TLS write certificate (x.x.x.246)
[1590:root:2d]SSL state:SSLv3/TLS write key exchange (x.x.x.246)
[1590:root:2d]SSL state:SSLv3/TLS write server done (x.x.x.246)
[1590:root:2d]SSL state:SSLv3/TLS write server done:system lib(x.x.x.246)
[1590:root:2d]SSL state:SSLv3/TLS write server done:DH lib(x.x.x.246)
[1590:root:2d]SSL_accept failed, 5:(null)
[1590:root:2d]Destroy sconn 0x7f5c53f56c00, connSize=0. (root)
[1590:root:2e]allocSSLConn:307 sconn 0x7f5c53f56c00 (0:root)
[1590:root:2e]SSL state:before SSL initialization (x.x.x.246)
[1590:root:2e]SSL state:before SSL initialization (x.x.x.246)
[1590:root:2e]no SNI received
[1590:root:2e]client cert requirement: no
[1590:root:2e]SSL state:SSLv3/TLS read client hello (x.x.x.246)
[1590:root:2e]SSL state:SSLv3/TLS write server hello (x.x.x.246)
[1590:root:2e]SSL state:SSLv3/TLS write certificate (x.x.x.246)
[1590:root:2e]SSL state:SSLv3/TLS write key exchange (x.x.x.246)
[1590:root:2e]SSL state:SSLv3/TLS write server done (x.x.x.246)
[1590:root:2e]SSL state:SSLv3/TLS write server done:system lib(x.x.x.246)
[1590:root:2e]SSL state:SSLv3/TLS write server done:DH lib(x.x.x.246)
[1590:root:2e]SSL_accept failed, 5:(null)
[1590:root:2e]Destroy sconn 0x7f5c53f56c00, connSize=0. (root)

srajeswaran

Telnet works because it don't use SSL/certificates.

Can you check if there is any SSL version specified under VPN setting?

config vpn ssl settings

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Donglv_
New Contributor III

Did you mean this one?
*********************************************************
SOSC (settings) # get
status : enable
reqclientcert : enable
ciphersuite : TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
ssl-insert-empty-fragment: enable
https-redirect : disable
x-content-type-options: enable
ssl-client-renegotiation: disable
force-two-factor-auth: disable
servercert : CustomSignedCert
idle-timeout : 0
auth-timeout : 28800
login-attempt-limit : 2
login-block-time : 60
login-timeout : 30
tunnel-ip-pools : "SSLVPN_TUNNEL_ADDR1"
tunnel-ipv6-pools : "SSLVPN_TUNNEL_IPv6_ADDR1"
dns-suffix :
dns-server1 : 8.8.8.8
dns-server2 : 1.1.1.1
wins-server1 : 0.0.0.0
wins-server2 : 0.0.0.0
ipv6-dns-server1 : ::
ipv6-dns-server2 : ::
ipv6-wins-server1 : ::
ipv6-wins-server2 : ::
url-obscuration : disable
http-compression : disable
http-only-cookie : enable
port : 9043
port-precedence : enable
auto-tunnel-static-route: enable
header-x-forwarded-for: add
source-interface : "Loopback_"
source-address : "all"
source-address-negate: disable
source-address6 : "all"
source-address6-negate: disable
default-portal : VPN SSL Client
authentication-rule:
== [ 1 ]
id: 1
dtls-tunnel : disable
check-referer : disable
http-request-header-timeout: 20
http-request-body-timeout: 30
auth-session-check-source-ip: enable
tunnel-connect-without-reauth: disable
hsts-include-subdomains: disable
transform-backward-slashes: disable
encode-2f-sequence : disable
encrypt-and-store-password: disable
client-sigalgs : all
dual-stack-mode : disable
tunnel-addr-assigned-method: first-available
saml-redirect-port : 8020
web-mode-snat : disable
user-peer :

srajeswaran

ideally this output show the "ssl-max-proto-ver " and "ssl-min-proto-ver".

 

Can you below command

config vpn ssl settings

show full | grep proto-ver

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Donglv_
New Contributor III

Hi @srajeswaran

Is this what you mean? But it shows nothing after grep proto-ver

Screenshot 2023-03-23 164803.png

srajeswaran

Can you configure the below and check?

set ssl-max-proto-ver tls1-3
set ssl-min-proto-ver tls1-2

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors