Forticlient - SSL VPN Error (-14)

miguel_almeida · ‎10-24-2019

Hello,

I have a corporate LAN/Wifi network and I have some users who need to connect to another site in company via SSL VPN (I can't do direct VPN with the other site). Within my corporate network they cannot make the connection, always gives the error: "Unable to establish VPN connection. The VPN server may be unreachable. (-14)". Stops at 80%.

Attempting to connect via an external network works without problems. Something is blocking the connection on my network but I still haven't figured it out, any idea how I can test the various hypotheses?

Fortigate 101E:

FortiOS v6.0.6 build0272

Forticlient: 6.2.2.0877

Thank you

Toshi_Esumi · ‎10-24-2019

Explain more clearly about relation between your "corporate network" and "another site", then which side has the FG101E ("another site"? If not how to get to "another site" from the 101E?). And what is the auth method for SSL VPN users?

miguel_almeida · ‎10-25-2019

Hello Toshi,

My site have the Fortigate 101E and another site have Fortigate 90D (I think). I am using my corporate network to connect through forticlient. Authentication/authorization for SSL VPN (port 443) is by LDAP server.

When I connect the forticlient he asks to authorize the certificate but then gives the error to 80%. My question is, my fortigate blocking any traffic or port? I am not using any particular block.

To have Internet in my fortigate (wan connection), I have a "home" ISP router with dynamic DNS.

Toshi_Esumi · ‎10-25-2019

But those SSL VPN attemps goes through your 101E to get to the 90D to be terminated at. Is the LDAP server you're talking about located at the "another site"? Your local 101E can't do much to contribute to the problem because SSL VPN traffic is just outgoing TCP 443 (unless you or somebody changed it on the 90D) like any internet browsing.

The problem must be on the 90D side. First, check "config vpn ssl settings" to see if multiple profiles are configured. Then you probably need to run "diag debug app sslvpn -1" on the 90D then compare between accessing from the internet and accessing from your office.

scerazy · ‎03-25-2020

That artickle is rubbish for this error

-14 means most likely that user is in a group that does not have Tunnel access consigured for SSL Portal

boneyard · ‎04-25-2020

the article isnt that bad on itself, but the title is confusing as error -14 pops up for so many things. the one you mentioned but also several others. best would be if the developers dont add the text, but just use -14 generic error, because that is what it is.

for that article you could reach out to he documentation team and ask them to add some lines.

hisham211 · ‎05-13-2020

I had the same exact issue. Internal client can connect to remote Fortigate from an un-secured WiFi but could not connect from behind my Fortigate 60F. My scenario is as follows:

my fortigate - 60F running fortiOS 6.2.3

my internal client - Windows 10 running forticlient 6.2.6.0951

end point fortigate - 300E running fortiOS 6.2.3

temporary solution was to disable SSL inspection on my end. now i'm going to work on a permanent solution with the remote network admin.