Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
johna-eximiusdesign
New Contributor

VPN Client stuck at 40% with certificate error

We had a PC with a working Forticlient setup that recently stopped working. It gets stuck at 40% with the error "The server you want to connect to request identification, please chose a certificate and try again (-5)." I've read all over the forum and I've already tried:

- Ensured Internet Options have TLS 1.0, 1.1 and 1.2 enabled.

- Uninstalled and reinstalled Forticlient using latest versions (7.01.0083)

- Tried to restore previously know good configuration

- Ensured there is no "hidden window" for certificate authorization*

 

The same credentials work on other PCs so the issue seems to be on one PC (have a second PC with similar symptoms but haven't triaged that one yet). From the "bad" PC, we've tried accessing multiple gateways, all get the same error. So there seems to be something awry with this PC. As far as I know we don't use any certificates, at least nothing didn't come preinstalled. It is possible when the problem first showed up that there was a popup window and we hit accidentally hit "no" on the certificate authorization, but I would have figured a clean uninstall / reinstall would have cleared that flag. It is almost like this PC corrupted itself in a way a fresh install didn't fix.

 

Any suggestions would be appreciated. We're at a loss here.

 

 

28 REPLIES 28
karnold

I apologize on the necro-bump here, but it's been an outstanding issue.  Opened a ticket with Fortigate, and they've pushed the issue back on us.  The issue seems to be how Windows 11 stores its private keys.  Instead of keeping them locally, they're stored in AD, and are periodically synced with the OS.  If you don't check into AD for a period of time (or if your OS is patched) the keys require refreshing, and until they check back in, the cert won't work with Forticlient. Can't really blame Fortinet for the Microsoft change in behavior, but something needs to get changed to fix this issue, else we're blocked from Windows 11.

celliott
New Contributor

Upgraded from 6.4.8 to 6.4.9 FOS to fix a bug and am experiencing the same issue as described here. We are using SAML for login with no certificate requirement. Randomly has the error about the cert, sometimes saying VPN server unreachable, sometimes just stalls at 98% and silently fails. Open case with Fortinet but not sure where it will end-up.

vforti

Hi,

 

Did you ever get a reply from Fortinet?

We tried various client versions of the 6 and 7 branch, but could not find one that works reliably.

 

We found that if one repeats the connection attempts, one eventually gets connected.

 

Thank you

muhammad-amjad
New Contributor

I Have the solution to this issue. Follow the step to fix stuck issues and share every one 

installed offline forti client  FortiClientVPNSetup_6.4.5.1657_x64 and try the stuck issue not coming after these steps.

muhammad-amjad
New Contributor

I Have the solution to this issue. Follow the step to fix stuck issues and share every one 

installed offline Forti client  FortiClientVPNSetup_6.4.5.1657_x64 and try the stuck issue not coming after these steps.

alex22207
New Contributor

I realize this is an old post, but I recently had a similar problem and I'll add my solution as it may benefit others.  I'm running Forticlient version 7.2.4.0972 on Windows 11.  The difference between this case and mine is that I received an unwanted certificate popup. 

 

What solved the issue for me was deleting my personal certificates from the Windows certificate store.  Even though I had not selected the option to authenticate with certificates, it appears that the Forticlient software was enforcing the certificate popup when it found certs in the Windows cert store.  The only certs I needed to delete were in my "Personal" certificate store, and they were also visible in the certificate dropdown of the Forticlient VPN setup interface.  When I deleted the certs, they were no longer visible in the setup dropdown and the authentication completed successfully. 

 

I believe this is a bug, and I hope it gets fixed in future releases.

Catinator

Amazing, thank you so much for this. I wish Fortinet wolud communicate this fix to customers so we don't have to rely on the good will of community forum members.

mayank01

Hi, did you remove only the FCT certificate or all the personal certificates?

Asser

Hi,

Thank you for this. It helped me to find this kind of solution:

Good old registry hack:

HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\Sslvpn

create or edit these three (3) REG_DWORD:

DisallowInvalidServerCert   0

no_warn_invalid_cert          0

show_auth_cert_only          1

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors