Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ps-support
New Contributor II

Created on ‎06-04-2024 04:45 AM

SSL VPN connection attempt prompts Fortiguard SDNS Blocked Page Certificate Warning

Intermittently, we have an external user that is unable to establish an SSLVPN connection. When it does occur, he following error message is displayed:
 

chrome-2024.06.04-0730.58482 AM.png

"Failed to establish the VPN connection. This may be caused by a mismatch in the TLS version. Please check the TLS session settings in the Advanced of the Internet options. (-5029)."
I've verified the user's TLS certificate settings as outlined here: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiClient-TLS-error-5029-failed-to/ta-p/190478?externalID=FD48705  but the issue persists. 
After further troubleshooting, I created a second profile changing the remote gateway from the website address (vpn.website.com) to the website's IP address (123.123.123.123). The user was able to connect but they had to install the remote gateway's certificate to the workstation's personal and trusted publisher certificate stores.  

I then switched back to the profile with the using the remote gateway web address (vpn.website.com) and there was a certificate warning. When I inspected the certificate it was the following:ApplicationFrameHost-2024.06.04-0737.32040 AM.pngThe user's network uses a FortiGate firewall. My suspicion is the user's FortiGate firewall is blocking/flagging the remote gateway web address (vpn.website.com) but not the IP address (123.123.123.123). Is there a way we can confirm this? I asked the client to add the remote gateway address (vpn.website.com) to the allow list of their firewall but the issue persists. 

Labels:
1497
0 Kudos
4 REPLIES 4
hbac
Staff
Staff

Created on ‎06-04-2024 06:02 AM

Hi @ps-support,

 

Do you have DNS Filter enabled? It is most likely being blocked by DNS Filter. 

 

Regards, 

1474
pminarik
Staff
Staff

Created on ‎06-04-2024 07:39 AM

The user's network uses a FortiGate firewall. My suspicion is the user's FortiGate firewall is blocking/flagging the remote gateway web address (vpn.website.com) but not the IP address (123.123.123.123)

 

That is pretty much the confirmation already, but if you want some further confirmation, try to resolve the VPN's FQDN on the affected endpoint (nslookup, dig) - if it resolves to an unexpected IP (208.91.112.55 is the default redirect target of DNS filter), you know the client's DNS is being filtered.

[ corrections always welcome ]
1460
ps-support
New Contributor II

Created on ‎06-04-2024 08:55 AM

@hbac @pminarik - thank you for the suggestions. I will ask the client's IT team if they can verify if DNS filtering is turned on and if it can be turned off. I will also ask them if they experience the issue above, if they can do a nslookup of the remote gateway address and see what IP address it resolves to. Thanks again. 

1427
0 Kudos
Pittstate
New Contributor III
In response to ps-support

Created on ‎07-01-2024 03:34 PM

You could test the host name lookup here against FN's Secure DNS service, which the certificate seems to imply using: https://www.fortiguard.com/services/sdns

 

1161
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.