Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NothingKai
New Contributor

Error Forticlient stop 80%

Hi Guy,

 

I have an error about forticlient:

 

Unable to logon to the server. Your user name or password may not be configured properly for this connection. (-12)

 

I sure username and pass is right.

 

My 100D ver: v5.4.3,build1111 (GA) 

Forticlient ver: 5.4.2.0860

 

Thanks for help.

 

1 Solution
andrew1
New Contributor II

Hi,

I have solved this issue many times on Windows 2016 Server by adding the exact URL (also include custom port if needed - e.g. https://mysslvpn.domain.dom:10443) for the SSL VPN to the Trusted Sites list in Internet Options (from IE or by running "inetcpl.cpl"). Of course you need to add the URL for every SSL VPN you want to connect to.

This happens even when IE is not the default browser.

 

In all my instances of this issue, I also found out I could check this issue by opening the SSL VPN URL with Internet Explorer. Every time I could not connect to the SSL VPN in Web Mode from Internet Explorer (it displays "This page can't be displayed"), FortiClient was also failing just like the OP describes. (The Web Mode was working just fine on Chrome or Firefox.) The opposite was also true: when IE logged into the Web Mode, FCT was working.

(Of course Web Mode must be enabled for the relevant SSL-VPN Portal for this test to make sense.)

 

I also found this issue on a server with Trusted Sites locked by Group Policy - so I couldn't add a new entry. In the end I was able to solve the issue by resetting Internet Options:

(also see attached image)

[ul]
  • run Internet Options (inetcpl.cpl)
  • select the "Advanced" tab
  • Click on the "Reset..." button
  • flag "Delete personal settings" (I did that - don't know if it is needed)
  • Click "Reset"[/ul]

     

    Summing it up, it is clear that something inside Internet Options is the culprit, but I wasn't able to pinpoint what exactly.

     

    Fortinet support says that FortiClient is designed to take settings from Internet Options. At this point I'd like to know exactly what parameters are in use (I guess I can't ask support because I don't have a valid FortiClient support contract at the moment).

     

    To anyone having this issue, I'd still recommend trying to add the SSL VPN URL to the Trusted Sites before resetting.

     

    Please note that I am using the default certificate for the SSL VPN - but I believe this makes no difference (beyond all the expected warnings).

     

    -a

  • View solution in original post

    19 REPLIES 19
    Toshi_Esumi
    Esteemed Contributor III

    It's almost impossible to get (-12) error without user name/password mismatch. Is this IPSec VPN or SSL VPN? Is it a local user or a remote server user (RADIUS, LDAP, TACACS+)? Can you try configuring another simple user/pass into the same user group then test?

    NothingKai

    toshiesumi wrote:

    It's almost impossible to get (-12) error without user name/password mismatch. Is this IPSec VPN or SSL VPN? Is it a local user or a remote server user (RADIUS, LDAP, TACACS+)? Can you try configuring another simple user/pass into the same user group then test?

    Yes, I login with account server user FSSO.

    But I try create 1 accout on fortinet, it's still the same error.

    Toshi_Esumi
    Esteemed Contributor III

    What is the account server's log saying? Is it even receiving queries? If you don't see anything on the server side, you probably need to run:

       diag debug app fnbamd -1

    to see all interactions your FG is attempting/or not attempting with the server.

     

    For the local user this wouldn't work so you likely need to debug application either "sslvpn" (if SSL VPN) or "ike" (if IPSec VPN).

    NothingKai

    toshiesumi wrote:

    What is the account server's log saying? Is it even receiving queries? If you don't see anything on the server side, you probably need to run:

       diag debug app fnbamd -1

    to see all interactions your FG is attempting/or not attempting with the server.

     

    For the local user this wouldn't work so you likely need to debug application either "sslvpn" (if SSL VPN) or "ike" (if IPSec VPN).

    Thanks for help,

     

    I use SSL VPN.

    I try connect with FortiClient 4.1

    It's ok. No problem.

    andrew1
    New Contributor II

    Hi,

    I have solved this issue many times on Windows 2016 Server by adding the exact URL (also include custom port if needed - e.g. https://mysslvpn.domain.dom:10443) for the SSL VPN to the Trusted Sites list in Internet Options (from IE or by running "inetcpl.cpl"). Of course you need to add the URL for every SSL VPN you want to connect to.

    This happens even when IE is not the default browser.

     

    In all my instances of this issue, I also found out I could check this issue by opening the SSL VPN URL with Internet Explorer. Every time I could not connect to the SSL VPN in Web Mode from Internet Explorer (it displays "This page can't be displayed"), FortiClient was also failing just like the OP describes. (The Web Mode was working just fine on Chrome or Firefox.) The opposite was also true: when IE logged into the Web Mode, FCT was working.

    (Of course Web Mode must be enabled for the relevant SSL-VPN Portal for this test to make sense.)

     

    I also found this issue on a server with Trusted Sites locked by Group Policy - so I couldn't add a new entry. In the end I was able to solve the issue by resetting Internet Options:

    (also see attached image)

    [ul]
  • run Internet Options (inetcpl.cpl)
  • select the "Advanced" tab
  • Click on the "Reset..." button
  • flag "Delete personal settings" (I did that - don't know if it is needed)
  • Click "Reset"[/ul]

     

    Summing it up, it is clear that something inside Internet Options is the culprit, but I wasn't able to pinpoint what exactly.

     

    Fortinet support says that FortiClient is designed to take settings from Internet Options. At this point I'd like to know exactly what parameters are in use (I guess I can't ask support because I don't have a valid FortiClient support contract at the moment).

     

    To anyone having this issue, I'd still recommend trying to add the SSL VPN URL to the Trusted Sites before resetting.

     

    Please note that I am using the default certificate for the SSL VPN - but I believe this makes no difference (beyond all the expected warnings).

     

    -a

  • adogra
    New Contributor

    @andrew. thanks your fix worked for me too. cheers Man!

    ITadm
    New Contributor II

    Sorry for digging this topic out, but I've just had the same problem with SSL VPN with just one user. I figured out that the reason was adding this specific user to firewall policy. When I added whole user group everything was working again. Idk if it's a bug or feature, but I didn't want to create a separate topic for it. Maybe this will help somebody.

    lee_chaeheon

    i think you missed setting for 'Authentication/Portal Mapping'.

    try mapping user account & Portal.

    Bert1

    Any update on this?  I was unable to connect so I installed version 6.0 of the client and it worked fine.  Then, at the end of the day, I packed up my stuff and went to my hotel (I'm on the road).  When I tried to connect from the hotel, no joy.  I figured that it might be an outgoing port block on the hotel's network so I just left it.  When I got beck to the office again this morning, I still can't connect.  I get to 80% and get that (-12) error.  This is infuriating :(  There is no one in my office so the Fortinet firewall can't have had its configuration changed without my knowledge.

    Labels
    Top Kudoed Authors