Fortigate SSL VPN issues – Forticlient

Recently I had an issue with a SSL VPN user who could not connect to the Fortigate. This problem started after upgrading the Fortigate from a very old 5.2.3 to the latest 5.4 firmware – 5.4.7.

Everything went great with the upgrade,but the client would bomb out at 40 percent with “VPN server maybe unreachable” when attempting to connect. After some diagnostics on the firewall I found the user could authenticate, and reach the FW. I then debugged the SSL VPN application and found that the following logs appeared. Note – I changed the IP from the real to

[16143:root:2e2e] SSL state:before/accept initialization (
[16143:root:2e2e] SSL state:SSLv2/v3 read client hello A:(null) (
[16143:root:2e2e] SSL_accept failed, 1:unknown protocol

Unknown protocol .. hmmm. After some digging I found that before the upgrade the following protocols were allowed in the SSL-VPN settings in CLI.

Fortigate $ get vpn ssl settings
reqclientcert : disable
sslv2 : disable
sslv3 : disable
tlsv1-0 : enable
tlsv1-1 : enable
tlsv1-2 : enable
ssl-big-buffer : disable
ssl-insert-empty-fragment: enable

After the upgrade here are the settings

Fortigate $ get vpn ssl settings
reqclientcert : disable
sslv3 : disable
tlsv1-0 : disable
tlsv1-1 : enable
tlsv1-2 : enable
ssl-big-buffer : disable
ssl-insert-empty-fragment: enable

Notice that TSLV1-0 is disabled – this great for security as TLS 1 and 2 are much more secure than 0, but in this case the client was not trying to use 1-2 but only 0.


So the Forticlient is using the security settings within Internet Explorer. The fix was to make sure that IE supported the necessary protocols. On the client that was not working I opened up IE – went to settings, then to advanced. Check the settings out –


I enabled TLS 1.2 (you could also do 1.1) and and tried to reconnect – all worked great. Check out the debug after enabling:


[16143:root:2e39]SSL state:SSLv3 read client hello A (
[16143:root:2e39]SSL state:SSLv3 write server hello A (
[16143:root:2e39]SSL state:SSLv3 write certificate A (
[16143:root:2e39]SSL state:SSLv3 write key exchange A (
[16143:root:2e39]SSL state:SSLv3 write server done A (
[16143:root:2e39]SSL state:SSLv3 flush data (
[16143:root:2e39]SSL state:SSL negotiation finished successfully (
[16143:root:2e39]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384

2 responses to “Fortigate SSL VPN issues – Forticlient

  1. gr February 21, 2019 at 9:55 am

    thank you this is really works

  2. Andrew February 29, 2020 at 6:58 pm

    This indeed solved my 5.2.9 to 5.4.3 issue. Also enabling TLS1.0 in the Fortigate does the trick too, but of course it would kind of defeat the purpose of a security based upgrade. Still if the majority of the hundreds of SSL VPN users are running old/ancient desktops that are incapable or running anything but TLS1.0, this would be the best approach.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: