Recently I had an issue with a SSL VPN user who could not connect to the Fortigate. This problem started after upgrading the Fortigate from a very old 5.2.3 to the latest 5.4 firmware – 5.4.7.
Everything went great with the upgrade,but the client would bomb out at 40 percent with “VPN server maybe unreachable” when attempting to connect. After some diagnostics on the firewall I found the user could authenticate, and reach the FW. I then debugged the SSL VPN application and found that the following logs appeared. Note – I changed the IP from the real to 1.1.1.1
Notice that TSLV1-0 is disabled – this great for security as TLS 1 and 2 are much more secure than 0, but in this case the client was not trying to use 1-2 but only 0.
RESOLUTION
So the Forticlient is using the security settings within Internet Explorer. The fix was to make sure that IE supported the necessary protocols. On the client that was not working I opened up IE – went to settings, then to advanced. Check the settings out –
I enabled TLS 1.2 (you could also do 1.1) and and tried to reconnect – all worked great. Check out the debug after enabling:
[16143:root:2e39]SSL state:SSLv3 read client hello A (1.1.1.1)
[16143:root:2e39]SSL state:SSLv3 write server hello A (1.1.1.1))
[16143:root:2e39]SSL state:SSLv3 write certificate A (1.1.1.1))
[16143:root:2e39]SSL state:SSLv3 write key exchange A (1.1.1.1))
[16143:root:2e39]SSL state:SSLv3 write server done A (1.1.1.1))
[16143:root:2e39]SSL state:SSLv3 flush data (1.1.1.1)) [16143:root:2e39]SSL state:SSL negotiation finished successfully (1.1.1.1) [16143:root:2e39]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Recent Comments