"Failed to establish the VPN connection. This may be caused by a mismatch in the TLS version. Please check the TLS session settings in the Advanced of the Internet options. (-5029)."
I've verified the user's TLS certificate settings as outlined here: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiClient-TLS-error-5029-failed-to/ta-p/190478?externalID=FD48705 but the issue persists.
After further troubleshooting, I created a second profile changing the remote gateway from the website address (vpn.website.com) to the website's IP address (123.123.123.123). The user was able to connect but they had to install the remote gateway's certificate to the workstation's personal and trusted publisher certificate stores.
I then switched back to the profile with the using the remote gateway web address (vpn.website.com) and there was a certificate warning. When I inspected the certificate it was the following:The user's network uses a FortiGate firewall. My suspicion is the user's FortiGate firewall is blocking/flagging the remote gateway web address (vpn.website.com) but not the IP address (123.123.123.123). Is there a way we can confirm this? I asked the client to add the remote gateway address (vpn.website.com) to the allow list of their firewall but the issue persists.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @ps-support,
Do you have DNS Filter enabled? It is most likely being blocked by DNS Filter.
Regards,
> The user's network uses a FortiGate firewall. My suspicion is the user's FortiGate firewall is blocking/flagging the remote gateway web address (vpn.website.com) but not the IP address (123.123.123.123)
That is pretty much the confirmation already, but if you want some further confirmation, try to resolve the VPN's FQDN on the affected endpoint (nslookup, dig) - if it resolves to an unexpected IP (208.91.112.55 is the default redirect target of DNS filter), you know the client's DNS is being filtered.
@hbac @pminarik - thank you for the suggestions. I will ask the client's IT team if they can verify if DNS filtering is turned on and if it can be turned off. I will also ask them if they experience the issue above, if they can do a nslookup of the remote gateway address and see what IP address it resolves to. Thanks again.
You could test the host name lookup here against FN's Secure DNS service, which the certificate seems to imply using: https://www.fortiguard.com/services/sdns
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.