Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: VPN Client stuck at 40% with certificate error
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN Client stuck at 40% with certificate error
We had a PC with a working Forticlient setup that recently stopped working. It gets stuck at 40% with the error "The server you want to connect to request identification, please chose a certificate and try again (-5)." I've read all over the forum and I've already tried:
- Ensured Internet Options have TLS 1.0, 1.1 and 1.2 enabled.
- Uninstalled and reinstalled Forticlient using latest versions (7.01.0083)
- Tried to restore previously know good configuration
- Ensured there is no "hidden window" for certificate authorization*
The same credentials work on other PCs so the issue seems to be on one PC (have a second PC with similar symptoms but haven't triaged that one yet). From the "bad" PC, we've tried accessing multiple gateways, all get the same error. So there seems to be something awry with this PC. As far as I know we don't use any certificates, at least nothing didn't come preinstalled. It is possible when the problem first showed up that there was a popup window and we hit accidentally hit "no" on the certificate authorization, but I would have figured a clean uninstall / reinstall would have cleared that flag. It is almost like this PC corrupted itself in a way a fresh install didn't fix.
Any suggestions would be appreciated. We're at a loss here.
Labels:
- Labels:
-
FortiClient
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
28 REPLIES 28
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using LDAP or Local?
If LDAP you can try reset the password and try again.
Usually this is because of incorrect credential.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey MFahmi,
FYI, the same credentials work on at least three other machines (but we did reset the password anyway to no effect). There is something on this one PC that is somehow broken. The FortiClient VPN was used on a nearly daily basis for 2-3 years without issue, broke a few days ago, and hasn't worked since even with successive uninstall / install of FortiClient (with reboots in between for good measure), restoring configs from old working and from external machines, debug settings, etc.
The original error reported certificate issues, which from reading are sometimes masked as TLS version support issues. So I think I'm looking for something that could result in the same "certificate error" message from FortiClient, or some way the certificate is corrupted on this one machine.
Or I'm utterly confused, which is a nonzero possibility too.
John
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, having the same issue with multiple WIndows 11 machines. Background:
Use FGTs, 6.4.8 firmware. Forticlients ranging from 6.4.7 to 7.0.2.
Affected machines are running Windows 11. They all run well for a month or so, then after a random update cycle, the Forticlient stalls at 40% with no successful connections from that point on. Again, this isn't a random subset of Windows 11, this is ALL 3 machines that have been running Windows 11 (two were 10 to 11 upgrades, and my test machine is a clean install from ISO).
This was noted in the security logs:
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {<redacted>}
EventID 5061
Version 0
Level 0
Task 12290
Opcode 0
Keywords 0x8010000000000000
- TimeCreated
[ SystemTime] 2022-05-25T00:14:05.5675258Z
EventRecordID 885204
Correlation
- Execution
[ ProcessID] 1124
[ ThreadID] 8564
Channel Security
Computer <redacted>
Security
- EventData
SubjectUserSid S-1-5-21-<redacted>
SubjectUserName karnold
SubjectDomainName <redacted>
SubjectLogonId 0x102e73
ProviderName Microsoft Software Key Storage Provider
AlgorithmName RSA
KeyName te-VPNUser-<redacted>
KeyType %%2500
Operation %%2480
ReturnCode 0x80090016
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As for the Fortigate logs:
[280:root:1af]allocSSLConn:297 sconn 0x7f9fe63f00 (0:root)
[280:root:1af]SSL state:before SSL initialization (<redacted>)
[280:root:1af]SSL state:before SSL initialization:DH lib(<redacted>)
[280:root:1af]SSL_accept failed, 5:(null)
[280:root:1af]Destroy sconn 0x7f9fe63f00, connSize=6. (root)
[281:root:1af]allocSSLConn:297 sconn 0x7f9fe79b00 (0:root)
[281:root:1af]SSL state:before SSL initialization (<redacted>)
[281:root:1af]SSL state:before SSL initialization (<redacted>)
[281:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[281:root:1af]client cert requirement: yes
[281:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write change cipher spec (<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[281:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[281:root:1af]client cert requirement: yes
[281:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[281:root:1af]SSL state:TLSv1.3 write encrypted extensions (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write certificate request (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write certificate (<redacted>)
[281:root:1af]SSL state:TLSv1.3 write server certificate verify (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write finished (<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data:DH lib(<redacted>)
[281:root:1af]SSL_accept failed, 5:(null)
[281:root:1af]Destroy sconn 0x7f9fe79b00, connSize=5. (root)
[282:root:1af]allocSSLConn:297 sconn 0x7fa0a1f600 (0:root)
[282:root:1af]SSL state:before SSL initialization (<redacted>)
[282:root:1af]SSL state:before SSL initialization:DH lib(<redacted>)
[282:root:1af]SSL_accept failed, 5:(null)
[282:root:1af]Destroy sconn 0x7fa0a1f600, connSize=1. (root)
[283:root:1af]allocSSLConn:297 sconn 0x7f9fdc0a00 (0:root)
[283:root:1af]SSL state:before SSL initialization (<redacted>)
[283:root:1af]SSL state:before SSL initialization (<redacted>)
[283:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[283:root:1af]client cert requirement: yes
[283:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write change cipher spec (<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[283:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[283:root:1af]client cert requirement: yes
[283:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[283:root:1af]SSL state:TLSv1.3 write encrypted extensions (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write certificate request (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write certificate (<redacted>)
[283:root:1af]SSL state:TLSv1.3 write server certificate verify (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write finished (<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data:DH lib(<redacted>)
[283:root:1af]SSL_accept failed, 5:(null)
[283:root:1af]Destroy sconn 0x7f9fdc0a00, connSize=1. (root)
[284:root:1af]allocSSLConn:297 sconn 0x7f9fddcf00 (0:root)
[284:root:1af]SSL state:before SSL initialization (<redacted>)
[284:root:1af]SSL state:before SSL initialization (<redacted>)
[284:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[284:root:1af]client cert requirement: yes
[284:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write change cipher spec (<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[284:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[284:root:1af]client cert requirement: yes
[284:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[284:root:1af]SSL state:TLSv1.3 write encrypted extensions (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write certificate request (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write certificate (<redacted>)
[284:root:1af]SSL state:TLSv1.3 write server certificate verify (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write finished (<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data:DH lib(<redacted>)
[284:root:1af]SSL_accept failed, 5:(null)
[284:root:1af]Destroy sconn 0x7f9fddcf00, connSize=0. (root)
[285:root:1ae]allocSSLConn:297 sconn 0x7f9fd53100 (0:root)
[285:root:1ae]SSL state:before SSL initialization (<redacted>)
[285:root:1ae]SSL state:before SSL initialization:DH lib(<redacted>)
[285:root:1ae]SSL_accept failed, 5:(null)
[285:root:1ae]Destroy sconn 0x7f9fd53100, connSize=0. (root)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you look behind the FortiClient window for a "pop-under" with the cert warning?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No pop-ups. Goes to 40%, stalls, fails with the error:
The server you want to connect to requests identification, please choose a certificate and try again. (-5).
certificate was working prior to the updates, and you can see clearly in the login page it is selected.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Karnold,
I've been watching your posts with interest, but I don't have anything useful to add. I managed to get my computer up/running with the original OEM OS, but after installing the first update, forticlient goes back to 40% "please chose a certificate" error. Previously I'd been running fine for years and kept up to date with the latest OS updates until this issue happened.
If you do find a solution, please post it and let us (me) know. Thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi there
same here, since yesterday afternoon the same issue. We can't login in our SSL VPN. I found out it has something to do with our domain users on our devices. If I login with an local user on the same notebook, it works. Maybe a policy, but can't figure which...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Were you guys able to fix this? We´re having the same issue with the only person in our organization that is using Windows 11.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ThiOliveria,
No, I have not found any real solution. When I reinstalled the OEM windows environment, Forticlient logged in without any issues as it had done for years earlier. However, the first windows update patch broke it again with the same error (40% progress, bad certification error). Unfortunately, the first update is a big one and hard to "back out" that patch without reinstalling the entire OS, so I've kept the machine alive living on the OEM image with all of its foibles.
I try to monitor the postings looking for a fix, but so far I've not see anything. Please share if you find any leads.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Certificate error message when device is... 139 Views
- ForticlientVPN - Permission denied (-455) 372 Views
- Issues with IPsec VPN and RTSP... 187 Views
- Inspeccion SSL bloquea drive.google.com 189 Views
- certificate for FGFM protocol - Error... 343 Views
Labels
-
FortiGate
8,403 -
FortiClient
1,699 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
540 -
FortiSwitch
456 -
FortiAP
452 -
6.0
416 -
FortiClient EMS
401 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
210 -
5.0
196 -
FortiWeb
196 -
IPsec
183 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
107 -
FortiSIEM
100 -
FortiGateCloud
100 -
FortiCloud Products
95 -
FortiToken
89 -
FortiAuthenticator
82 -
Customer Service
77 -
Wireless Controller
76 -
Firewall policy
69 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
53 -
High Availability
51 -
Fortivoice
50 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Authentication
31 -
Interface
31 -
SSO
30 -
NAT
30 -
RADIUS
28 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
System settings
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCarrier
6 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1641 | |
| 1069 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.