Fortigate SSL VPN issues – Forticlient
Posted by on January 25, 2018
Recently I had an issue with a SSL VPN user who could not connect to the Fortigate. This problem started after upgrading the Fortigate from a very old 5.2.3 to the latest 5.4 firmware – 5.4.7.
Everything went great with the upgrade,but the client would bomb out at 40 percent with “VPN server maybe unreachable” when attempting to connect. After some diagnostics on the firewall I found the user could authenticate, and reach the FW. I then debugged the SSL VPN application and found that the following logs appeared. Note – I changed the IP from the real to 1.1.1.1
[16143:root:2e2e] SSL state:before/accept initialization (1.1.1.1)
[16143:root:2e2e] SSL state:SSLv2/v3 read client hello A:(null) (1.1.1.1)
[16143:root:2e2e] SSL_accept failed, 1:unknown protocol
Unknown protocol .. hmmm. After some digging I found that before the upgrade the following protocols were allowed in the SSL-VPN settings in CLI.
Fortigate $ get vpn ssl settings
reqclientcert : disable
sslv2 : disable
sslv3 : disable
tlsv1-0 : enable
tlsv1-1 : enable
tlsv1-2 : enable
ssl-big-buffer : disable
ssl-insert-empty-fragment: enable
After the upgrade here are the settings
Fortigate $ get vpn ssl settings
reqclientcert : disable
sslv3 : disable
tlsv1-0 : disable
tlsv1-1 : enable
tlsv1-2 : enable
ssl-big-buffer : disable
ssl-insert-empty-fragment: enable
Notice that TSLV1-0 is disabled – this great for security as TLS 1 and 2 are much more secure than 0, but in this case the client was not trying to use 1-2 but only 0.
RESOLUTION
So the Forticlient is using the security settings within Internet Explorer. The fix was to make sure that IE supported the necessary protocols. On the client that was not working I opened up IE – went to settings, then to advanced. Check the settings out –
I enabled TLS 1.2 (you could also do 1.1) and and tried to reconnect – all worked great. Check out the debug after enabling:
[16143:root:2e39]SSL state:SSLv3 read client hello A (1.1.1.1)
[16143:root:2e39]SSL state:SSLv3 write server hello A (1.1.1.1))
[16143:root:2e39]SSL state:SSLv3 write certificate A (1.1.1.1))
[16143:root:2e39]SSL state:SSLv3 write key exchange A (1.1.1.1))
[16143:root:2e39]SSL state:SSLv3 write server done A (1.1.1.1))
[16143:root:2e39]SSL state:SSLv3 flush data (1.1.1.1))
[16143:root:2e39]SSL state:SSL negotiation finished successfully (1.1.1.1)
[16143:root:2e39]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
thank you this is really works
This indeed solved my 5.2.9 to 5.4.3 issue. Also enabling TLS1.0 in the Fortigate does the trick too, but of course it would kind of defeat the purpose of a security based upgrade. Still if the majority of the hundreds of SSL VPN users are running old/ancient desktops that are incapable or running anything but TLS1.0, this would be the best approach.