Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ap6666
New Contributor

SSL VPN failed on the new KVM version in EVE-NG

Hey there,

 

I've just started playing around fortigate on eve-ng platform. I set up a basic SSL VPN configuration, but when I connected forticlient, it said The VPN Server may be unreachable (-5) and stuck at connecting status: 40%. The debug on firewall comes as below: (192.168.0.34 is the source IP of vpn client). 

Is it a configuration issue or I need any license to use this firewall? 

The firmware is v7.2 

 

FortiGate-VM64-KVM # [300:root:8]allocSSLConn:303 sconn 0x7f491c61d300 (0:root)
 [300:root:8]SSL state:before SSL initialization (192.168.0.34)
 [300:root:8]SSL state:before SSL initialization:DH lib(192.168.0.34)
 [300:root:8]SSL_accept failed, 5:(null)
 [300:root:8]Destroy sconn 0x7f491c61d300, connSize=0. (root)
 [300:root:9]allocSSLConn:303 sconn 0x7f491c61d300 (0:root)
 [300:root:9]SSL state:before SSL initialization (192.168.0.34)
 [300:root:9]SSL state:before SSL initialization (192.168.0.34)
 [300:root:9]no SNI received
 [300:root:9]client cert requirement: no
 [300:root:9]SSL state:SSLv3/TLS read client hello (192.168.0.34)
 [300:root:9]SSL state:SSLv3/TLS write server hello (192.168.0.34)
 [300:root:9]SSL state:SSLv3/TLS write certificate (192.168.0.34)
 [300:root:9]SSL state:SSLv3/TLS write key exchange (192.168.0.34)
 [300:root:9]SSL state:SSLv3/TLS write server done (192.168.0.34)
 [300:root:9]SSL state:SSLv3/TLS write server done:system lib(192.168.0.34)
 [300:root:a]allocSSLConn:303 sconn 0x7f491c61e700 (0:root)
 [300:root:9]SSL state:SSLv3/TLS write server done:DH lib(192.168.0.34)
 [300:root:9]SSL_accept failed, 5:(null)
 [300:root:9]Destroy sconn 0x7f491c61d300, connSize=1. (root)
 [300:root:a]SSL state:before SSL initialization (192.168.0.34)
 [300:root:a]SSL state:before SSL initialization (192.168.0.34)
 [300:root:a]no SNI received
 [300:root:a]client cert requirement: no
 [300:root:a]SSL state:SSLv3/TLS read client hello (192.168.0.34)
 [300:root:a]SSL state:SSLv3/TLS write server hello (192.168.0.34)
 [300:root:a]SSL state:SSLv3/TLS write certificate (192.168.0.34)
 [300:root:a]SSL state:SSLv3/TLS write key exchange (192.168.0.34)
 [300:root:a]SSL state:SSLv3/TLS write server done (192.168.0.34)
 [300:root:a]SSL state:SSLv3/TLS write server done:DH lib(192.168.0.34)
 [300:root:a]SSL_accept failed, 5:(null)
 [300:root:a]Destroy sconn 0x7f491c61e700, connSize=0. (root)
 dia deb disa
  
 FortiGate-VM64-KVM #
3 REPLIES 3
AEK
Honored Contributor

Basically you can do much much tings with FGT physical appliance without license, however you can do almost nothing with FGT VM without license.

 

AEK
AEK
Debbie_FTNT
Staff
Staff

hey ap6666,

A (maybe a bit stupid) question - I assume your FortiGate is using the default server certificate for SSLVPN?

Is it possible that at 40% you're getting a pop-up in FortiClient (this might only be in the background - check in your task bar if there's a second FortiClient tab) prompting you to trust the FortiGate's certificate?

I frequently have that issue when setting up new labs with SSLVPN, and FortiClient gets stuck at 40%, I need to manually click on FortiClient in the task bar to bring up the certificate warning and accept it.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
ap6666

thank you all, 

it is a license issue. 

Labels
Top Kudoed Authors