Fortinet Community

ap6666 · ‎10-04-2022

Hey there,

I've just started playing around fortigate on eve-ng platform. I set up a basic SSL VPN configuration, but when I connected forticlient, it said The VPN Server may be unreachable (-5) and stuck at connecting status: 40%. The debug on firewall comes as below: (192.168.0.34 is the source IP of vpn client).

Is it a configuration issue or I need any license to use this firewall?

The firmware is v7.2

FortiGate-VM64-KVM # [300:root:8]allocSSLConn:303 sconn 0x7f491c61d300 (0:root)
	[300:root:8]SSL state:before SSL initialization (192.168.0.34)
	[300:root:8]SSL state:before SSL initialization:DH lib(192.168.0.34)
	[300:root:8]SSL_accept failed, 5:(null)
	[300:root:8]Destroy sconn 0x7f491c61d300, connSize=0. (root)
	[300:root:9]allocSSLConn:303 sconn 0x7f491c61d300 (0:root)
	[300:root:9]SSL state:before SSL initialization (192.168.0.34)
	[300:root:9]SSL state:before SSL initialization (192.168.0.34)
	[300:root:9]no SNI received
	[300:root:9]client cert requirement: no
	[300:root:9]SSL state:SSLv3/TLS read client hello (192.168.0.34)
	[300:root:9]SSL state:SSLv3/TLS write server hello (192.168.0.34)
	[300:root:9]SSL state:SSLv3/TLS write certificate (192.168.0.34)
	[300:root:9]SSL state:SSLv3/TLS write key exchange (192.168.0.34)
	[300:root:9]SSL state:SSLv3/TLS write server done (192.168.0.34)
	[300:root:9]SSL state:SSLv3/TLS write server done:system lib(192.168.0.34)
	[300:root:a]allocSSLConn:303 sconn 0x7f491c61e700 (0:root)
	[300:root:9]SSL state:SSLv3/TLS write server done:DH lib(192.168.0.34)
	[300:root:9]SSL_accept failed, 5:(null)
	[300:root:9]Destroy sconn 0x7f491c61d300, connSize=1. (root)
	[300:root:a]SSL state:before SSL initialization (192.168.0.34)
	[300:root:a]SSL state:before SSL initialization (192.168.0.34)
	[300:root:a]no SNI received
	[300:root:a]client cert requirement: no
	[300:root:a]SSL state:SSLv3/TLS read client hello (192.168.0.34)
	[300:root:a]SSL state:SSLv3/TLS write server hello (192.168.0.34)
	[300:root:a]SSL state:SSLv3/TLS write certificate (192.168.0.34)
	[300:root:a]SSL state:SSLv3/TLS write key exchange (192.168.0.34)
	[300:root:a]SSL state:SSLv3/TLS write server done (192.168.0.34)
	[300:root:a]SSL state:SSLv3/TLS write server done:DH lib(192.168.0.34)
	[300:root:a]SSL_accept failed, 5:(null)
	[300:root:a]Destroy sconn 0x7f491c61e700, connSize=0. (root)
	dia deb disa

	FortiGate-VM64-KVM #

AEK · ‎10-05-2022

Basically you can do much much tings with FGT physical appliance without license, however you can do almost nothing with FGT VM without license.

AEK

Debbie_FTNT · ‎10-05-2022

hey ap6666,

A (maybe a bit stupid) question - I assume your FortiGate is using the default server certificate for SSLVPN?

Is it possible that at 40% you're getting a pop-up in FortiClient (this might only be in the background - check in your task bar if there's a second FortiClient tab) prompting you to trust the FortiGate's certificate?

I frequently have that issue when setting up new labs with SSLVPN, and FortiClient gets stuck at 40%, I need to manually click on FortiClient in the task bar to bring up the certificate warning and accept it.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

ap6666 · ‎10-05-2022

thank you all,

it is a license issue.

Fortinet Community

SSL VPN failed on the new KVM version in EVE-NG