recently I found a pretty nice error 🙂 at the FortiGate SSLVPN Client. I know some of the errors, Connecting Error (40) I didn’t see before.
After I tried to connect, I received at state „Connecting… (40)“ – „Unable to establish the VPN connection. The VPN server may be unreachable. (-5)“ But what happens?
Google presents many of Blog which presents a solution without the understanding behind them why the solution is working ? in this case, it’s a workaround. I tried from MTU change to IPS Service reboot everything but nothing helps. An MTU change sounds to be a workaround of an MTU Path Discovery Issue. The IPS Service could be a FortiGate overload issue, but all of the points don’t describe the real reason, why it’s not functioning. Let’s try to find out, what’s the real problem is.
The first steps i do were :
– Check if the SSLVPN Port is open via telnet 10443 „Connecting… (10)“ – OK
– When the Port is open, the SSLVPN service is reachable, up and running.
What happens at state 40 ?
=> SSL/TLS Certificate Check
Which settings use Fortinet FortiGate SSLVPN Client ?
=> Microsoft Internet Explorer
Which settings should be set at Microsoft Internet Explorer ?
=> TLS 1.0
Which Operating System is used ?
=> Microsoft Windows XP
Which SSL/TLS Protocol does Microsoft Windows XP support ?
=> SSLv2 – unsecure (disabled)
=> SSLv3 – unsecure (disabled)
=> TLS1.0 – Problem because maximal TLS 1.0
Which SSL/TLS Protocols does FortiGate Firewall support ?
FortiGate # get vpn ssl settings | grep tls tlsv1-0 : disable tlsv1-1 : enable tlsv1-2 : enable dtls-tunnel : enable
FortiGate # config vpn ssl settings FortiGate (settings) # set tlsv1-0 enable FortiGate (settings) # end
FortiGate # get vpn ssl settings | grep tls tlsv1-0 : enable tlsv1-1 : enable tlsv1-2 : enable dtls-tunnel : enable
Try to connect…
It looks like to be a real solution because the real issue is located. In this case, it is possible to use an Operating System which supports TLS 1.1 and 1.2 or to activate TLS 1.0 at the FortiGate Firewall. It’s your choice.
Version 5.4.3 change the ciphers automaticly to high !
Lets debug the SSL VPN service.
FortiGate # diagnose debug application sslvpn -1 FortiGate # diagnose debug enable
Start SSL-VPN Connection
[75:root:61]Destroy sconn 0x329ae300, connSize=0. (root) [75:root:62]allocSSLConn:264 sconn 0x32914300 (0:root) [75:root:62]SSL state:before/accept initialization (220.127.116.11) [75:root:62]SSL state:fatal handshake failure (18.104.22.168) [75:root:62]SSL state:error:(null)(22.214.171.124) [75:root:62]SSL state:error:(null)(126.96.36.199) [75:root:62]SSL_accept failed, 1:no shared cipher [75:root:62]Destroy sconn 0x32914300, connSize=0. (root) [75:root:63]allocSSLConn:264 sconn 0x329ca300 (0:root) [75:root:63]SSL state:before/accept initialization (188.8.131.52) [75:root:63]SSL_accept returned 0.
„no shared chipher“, let’s go to change that.
FortiGate # config vpn ssl settings FortiGate (settings) # set algorithm medium FortiGate (settings) # end
Try again and „Tadaa“, again !!!
Thumbs up, if you could resolve your issue by this article and write something into the commentary 😉 Thanks in advance!