Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ps-support
New Contributor II

SSL VPN connection attempt prompts Fortiguard SDNS Blocked Page Certificate Warning

Intermittently, we have an external user that is unable to establish an SSLVPN connection. When it does occur, he following error message is displayed:
 

chrome-2024.06.04-0730.58482 AM.png

"Failed to establish the VPN connection. This may be caused by a mismatch in the TLS version. Please check the TLS session settings in the Advanced of the Internet options. (-5029)."
I've verified the user's TLS certificate settings as outlined here: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiClient-TLS-error-5029-failed-to/ta-p/190478?externalID=FD48705  but the issue persists. 
After further troubleshooting, I created a second profile changing the remote gateway from the website address (vpn.website.com) to the website's IP address (123.123.123.123). The user was able to connect but they had to install the remote gateway's certificate to the workstation's personal and trusted publisher certificate stores.  

I then switched back to the profile with the using the remote gateway web address (vpn.website.com) and there was a certificate warning. When I inspected the certificate it was the following:ApplicationFrameHost-2024.06.04-0737.32040 AM.pngThe user's network uses a FortiGate firewall. My suspicion is the user's FortiGate firewall is blocking/flagging the remote gateway web address (vpn.website.com) but not the IP address (123.123.123.123). Is there a way we can confirm this? I asked the client to add the remote gateway address (vpn.website.com) to the allow list of their firewall but the issue persists. 

4 REPLIES 4
hbac
Staff
Staff

Hi @ps-support,

 

Do you have DNS Filter enabled? It is most likely being blocked by DNS Filter. 

 

Regards, 

pminarik
Staff
Staff

The user's network uses a FortiGate firewall. My suspicion is the user's FortiGate firewall is blocking/flagging the remote gateway web address (vpn.website.com) but not the IP address (123.123.123.123)

 

That is pretty much the confirmation already, but if you want some further confirmation, try to resolve the VPN's FQDN on the affected endpoint (nslookup, dig) - if it resolves to an unexpected IP (208.91.112.55 is the default redirect target of DNS filter), you know the client's DNS is being filtered.

[ corrections always welcome ]
ps-support
New Contributor II

@hbac @pminarik - thank you for the suggestions. I will ask the client's IT team if they can verify if DNS filtering is turned on and if it can be turned off. I will also ask them if they experience the issue above, if they can do a nslookup of the remote gateway address and see what IP address it resolves to. Thanks again. 

Pittstate
New Contributor III

You could test the host name lookup here against FN's Secure DNS service, which the certificate seems to imply using: https://www.fortiguard.com/services/sdns

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors