Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
johna-eximiusdesign
New Contributor

VPN Client stuck at 40% with certificate error

We had a PC with a working Forticlient setup that recently stopped working. It gets stuck at 40% with the error "The server you want to connect to request identification, please chose a certificate and try again (-5)." I've read all over the forum and I've already tried:

- Ensured Internet Options have TLS 1.0, 1.1 and 1.2 enabled.

- Uninstalled and reinstalled Forticlient using latest versions (7.01.0083)

- Tried to restore previously know good configuration

- Ensured there is no "hidden window" for certificate authorization*

 

The same credentials work on other PCs so the issue seems to be on one PC (have a second PC with similar symptoms but haven't triaged that one yet). From the "bad" PC, we've tried accessing multiple gateways, all get the same error. So there seems to be something awry with this PC. As far as I know we don't use any certificates, at least nothing didn't come preinstalled. It is possible when the problem first showed up that there was a popup window and we hit accidentally hit "no" on the certificate authorization, but I would have figured a clean uninstall / reinstall would have cleared that flag. It is almost like this PC corrupted itself in a way a fresh install didn't fix.

 

Any suggestions would be appreciated. We're at a loss here.

 

 

23 REPLIES 23
MFahmi
New Contributor

Are you using LDAP or Local?

If LDAP you can try reset the password and try again.

Usually this is because of incorrect credential.

johna-eximiusdesign

Hey MFahmi,

 

FYI, the same credentials work on at least three other machines (but we did reset the password anyway to no effect). There is something on this one PC that is somehow broken. The FortiClient VPN was used on a nearly daily basis for 2-3 years without issue, broke a few days ago, and hasn't worked since even with successive uninstall / install of FortiClient (with reboots in between for good measure), restoring configs from old working and from external machines, debug settings, etc.

 

The original error reported certificate issues, which from reading are sometimes masked as TLS version support issues. So I think I'm looking for something that could result in the same "certificate error" message from FortiClient, or some way the certificate is corrupted on this one machine.

 

Or I'm utterly confused, which is a nonzero possibility too.

 

John

karnold
New Contributor

So, having the same issue with multiple WIndows 11 machines.  Background: 

Use FGTs, 6.4.8 firmware.  Forticlients ranging from 6.4.7 to 7.0.2.

Affected machines are running Windows 11.  They all run well for a month or so, then after a random update cycle, the Forticlient stalls at 40% with no successful connections from that point on.  Again, this isn't a random subset of Windows 11, this is ALL 3 machines that have been running Windows 11 (two were 10 to 11 upgrades, and my test machine is a clean install from ISO).  

 

This was noted in the security logs:

- System

- Provider

[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {<redacted>}

EventID 5061

Version 0

Level 0

Task 12290

Opcode 0

Keywords 0x8010000000000000

- TimeCreated

[ SystemTime] 2022-05-25T00:14:05.5675258Z

EventRecordID 885204

Correlation

- Execution

[ ProcessID] 1124
[ ThreadID] 8564

Channel Security

Computer <redacted>

Security

- EventData

SubjectUserSid S-1-5-21-<redacted>
SubjectUserName karnold
SubjectDomainName <redacted>
SubjectLogonId 0x102e73
ProviderName Microsoft Software Key Storage Provider
AlgorithmName RSA
KeyName te-VPNUser-<redacted>
KeyType %%2500
Operation %%2480
ReturnCode 0x80090016

karnold
New Contributor

As for the Fortigate logs:

 

[280:root:1af]allocSSLConn:297 sconn 0x7f9fe63f00 (0:root)
[280:root:1af]SSL state:before SSL initialization (<redacted>)
[280:root:1af]SSL state:before SSL initialization:DH lib(<redacted>)
[280:root:1af]SSL_accept failed, 5:(null)
[280:root:1af]Destroy sconn 0x7f9fe63f00, connSize=6. (root)
[281:root:1af]allocSSLConn:297 sconn 0x7f9fe79b00 (0:root)
[281:root:1af]SSL state:before SSL initialization (<redacted>)
[281:root:1af]SSL state:before SSL initialization (<redacted>)
[281:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[281:root:1af]client cert requirement: yes
[281:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write change cipher spec (<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[281:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[281:root:1af]client cert requirement: yes
[281:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[281:root:1af]SSL state:TLSv1.3 write encrypted extensions (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write certificate request (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write certificate (<redacted>)
[281:root:1af]SSL state:TLSv1.3 write server certificate verify (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write finished (<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data:DH lib(<redacted>)
[281:root:1af]SSL_accept failed, 5:(null)
[281:root:1af]Destroy sconn 0x7f9fe79b00, connSize=5. (root)
[282:root:1af]allocSSLConn:297 sconn 0x7fa0a1f600 (0:root)
[282:root:1af]SSL state:before SSL initialization (<redacted>)
[282:root:1af]SSL state:before SSL initialization:DH lib(<redacted>)
[282:root:1af]SSL_accept failed, 5:(null)
[282:root:1af]Destroy sconn 0x7fa0a1f600, connSize=1. (root)
[283:root:1af]allocSSLConn:297 sconn 0x7f9fdc0a00 (0:root)
[283:root:1af]SSL state:before SSL initialization (<redacted>)
[283:root:1af]SSL state:before SSL initialization (<redacted>)
[283:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[283:root:1af]client cert requirement: yes
[283:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write change cipher spec (<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[283:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[283:root:1af]client cert requirement: yes
[283:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[283:root:1af]SSL state:TLSv1.3 write encrypted extensions (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write certificate request (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write certificate (<redacted>)
[283:root:1af]SSL state:TLSv1.3 write server certificate verify (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write finished (<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data:DH lib(<redacted>)
[283:root:1af]SSL_accept failed, 5:(null)
[283:root:1af]Destroy sconn 0x7f9fdc0a00, connSize=1. (root)
[284:root:1af]allocSSLConn:297 sconn 0x7f9fddcf00 (0:root)
[284:root:1af]SSL state:before SSL initialization (<redacted>)
[284:root:1af]SSL state:before SSL initialization (<redacted>)
[284:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[284:root:1af]client cert requirement: yes
[284:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write change cipher spec (<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[284:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[284:root:1af]client cert requirement: yes
[284:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[284:root:1af]SSL state:TLSv1.3 write encrypted extensions (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write certificate request (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write certificate (<redacted>)
[284:root:1af]SSL state:TLSv1.3 write server certificate verify (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write finished (<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data:DH lib(<redacted>)
[284:root:1af]SSL_accept failed, 5:(null)
[284:root:1af]Destroy sconn 0x7f9fddcf00, connSize=0. (root)
[285:root:1ae]allocSSLConn:297 sconn 0x7f9fd53100 (0:root)
[285:root:1ae]SSL state:before SSL initialization (<redacted>)
[285:root:1ae]SSL state:before SSL initialization:DH lib(<redacted>)
[285:root:1ae]SSL_accept failed, 5:(null)
[285:root:1ae]Destroy sconn 0x7f9fd53100, connSize=0. (root)

jimsokol
New Contributor III

Did you look behind the FortiClient window for a "pop-under" with the cert warning?

karnold

No pop-ups.  Goes to 40%, stalls, fails with the error: 

The server you want to connect to requests identification, please choose a certificate and try again. (-5). 

 

certificate was working prior to the updates, and you can see clearly in the login page it is selected.  

johna-eximiusdesign

Hi Karnold,

 

I've been watching your posts with interest, but I don't have anything useful to add. I managed to get my computer up/running with the original OEM OS, but after installing the first update, forticlient goes back to 40% "please chose a certificate" error. Previously I'd been running fine for years and kept up to date with the latest OS updates until this issue happened.

 

If you do find a solution, please post it and let us (me) know. Thanks!

 

padi

hi there

same here, since yesterday afternoon the same issue. We can't login in our SSL VPN. I found out it has something to do with our domain users on our devices. If I login with an local user on the same notebook, it works. Maybe a policy, but can't figure which...

ThiOliveira
New Contributor

Were you guys able to fix this? We´re having the same issue with the only person in our organization that is using Windows 11. 

johna-eximiusdesign

Hi ThiOliveria,

 

No, I have not found any real solution. When I reinstalled the OEM windows environment, Forticlient logged in without any issues as it had done for years earlier. However, the first windows update patch broke it again with the same error (40% progress, bad certification error). Unfortunately, the first update is a big one and hard to "back out" that patch without reinstalling the entire OS, so I've kept the machine alive living on the OEM image with all of its foibles.

 

I try to monitor the postings looking for a fix, but so far I've not see anything. Please share if you find any leads.