Hot!Error connecting to SSL VPN with Forticlient

Author
Fnilsen
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/30 10:22:02
  • Status: offline
2020/06/30 10:36:58 (permalink) 6.2
0

Error connecting to SSL VPN with Forticlient

Sorry if this has been posted before, but I haven't found any solution in any existing posts.
 
I have just setup SSL-VPN on my FG100D with FortiOS 6.2.3 build 1066, but are having some issues when connecting with FortiClient 6.4.0.1464.
 
When getting to 80% is says: "unable to establish the vpn connection. the vpn server may be unreachable. (-14)"
 
I can login to the web portal page with the same user/pass, so that should be OK. I have also tested with another user.
Users are created locally on the FW and added to a group "VPN_Local_Users")
 
Have also tested from multiple computers.
 
Any ideas?
 
See attached log file for more details.sslvpn-log.txt
 
#1
Yogesh
New Member
  • Total Posts : 14
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/05/22 04:29:08
  • Status: offline
Re: Error connecting to SSL VPN with Forticlient 2020/06/30 21:50:25 (permalink)
0
Hi,
 
Is this issue on Windows OS? If so, did you check if TLS is enabled under Internet Options > Advanced Settings? 
 
Regards,
Yogesh
#2
Fnilsen
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/30 10:22:02
  • Status: offline
Re: Error connecting to SSL VPN with Forticlient 2020/07/01 00:19:34 (permalink)
0
Stupid error....
But if it helps someone else:
I forgot to enable Tunnel Mode...
 
SSL-VPN Portals - edit portal
-Disable Split Tunneling
-Enable Tunnel Mode
Source IP Pools: SSLVPN_TUNNEL-ADDR1
 
Now it works with my local test user.
 
Still getting exactly the same error when trying an LDAP user. (have added the LDAP user group to the policy and mapped to portal etc...will start investegate. Tips are appreciated :)
#3
Fnilsen
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/30 10:22:02
  • Status: offline
Re: Error connecting to SSL VPN with Forticlient 2020/07/01 06:29:16 (permalink)
0
Update:
Not beeing able to login with an AD user seems to be something with username/CNI context.
 
My test AD user:
Firstname: Test
Lastname: Testing
username: Testuser
In OU: Testusers
 
Scenario 1:
FG LDAP config:
Common Name Identifier: cn
Distinguished Name: OU=Testusers,DC=test,DC=local
 
Try to login to Forticlient / Webportal
User: Test Testing  --  Login OK!
User: Testuser  --  Not OK (server unreachable (-14) blabla) or "access denied"
 
Scenario 2:
FG LDAP config:
Common Name Identifier: sAMAccountName
Distinguished Name: OU=Testusers,DC=test,DC=local
 
Try to login to Forticlient / Webportal
User: Test Testing  --  Not OK (server unreachable (-14) blabla) or "access denied"
User: Testuser  --  Not OK (server unreachable (-14) blabla) or "access denied"
 
Any ideas???
#4
shehab
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/11 13:44:12
  • Status: offline
Re: Error connecting to SSL VPN with Forticlient 2020/07/13 13:04:35 (permalink)
0
Hello Frined,

If you are still having this issue, I have some hints for you, or otherwise please share the solution is it was already resolved.
 
From the attached log, I can see you are using Forticlient on Windows machine.
 
Just check from your Firewall the ssl-min and max allowed protocols by the using the following commands: 
 
config firewall ssl-server
show full-configuration | grep ssl-min-version
show full-configuration | grep ssl-max-version
 
Then according to the output, modify the register of the PC by going to the following path:
 
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
 
Make sure you have the key of the protocol you have found from the first step, ( at least one match ).
 
If not , the client and the fortigate are not having a common protocol to handshake by.
 
Also, if you want to add a new ssl protocol ( avoiding weak once ) you can create a key and and define 
DWORD Value named as Enabled with a value of 1 , then restart the pc and try the vpn.
 
I hope this will help you.
 
Regards,
Shehab
#5
Jump to:
© 2020 APG vNext Commercial Version 5.5