Dez 14, 2016
167988 Views
0 0

FortiGate SSLVPN – Connecting… (40) – Unable to establish the VPN connection. The VPN server may be unreachable. (-5)

Written by

Hello together,

recently I found a pretty nice error 🙂 at the FortiGate SSLVPN Client. I know some of the errors, Connecting Error (40) I didn’t see before.

After I tried to connect, I received at state „Connecting… (40)“ – „Unable to establish the VPN connection. The VPN server may be unreachable. (-5)“ But what happens?

Google presents many of Blog which presents a solution without the understanding behind them why the solution is working ? in this case, it’s a workaround. I tried from MTU change to IPS Service reboot everything but nothing helps. An MTU change sounds to be a workaround of an MTU Path Discovery Issue. The IPS Service could be a FortiGate overload issue, but all of the points don’t describe the real reason, why it’s not functioning. Let’s try to find out, what’s the real problem is.

The first steps i do were :
– Check if the SSLVPN Port is open via telnet 10443 „Connecting… (10)“ – OK
– When the Port is open, the SSLVPN service is reachable, up and running.

What happens at state 40 ?
=> SSL/TLS Certificate Check

Which settings use Fortinet FortiGate SSLVPN Client ?
=> Microsoft Internet Explorer

Which settings should be set at Microsoft Internet Explorer ?
=> TLS 1.0

Which Operating System is used ?
=> Microsoft Windows XP

Which SSL/TLS Protocol does Microsoft Windows XP support ?
=> SSLv2 – unsecure (disabled)
=> SSLv3 – unsecure (disabled)
=> TLS1.0 – Problem because maximal TLS 1.0

Which SSL/TLS Protocols does FortiGate Firewall support ?

FortiGate # get vpn ssl settings | grep tls
 tlsv1-0 : disable
 tlsv1-1 : enable
 tlsv1-2 : enable
 dtls-tunnel : enable
FortiGate # config vpn ssl settings
 FortiGate (settings) # set tlsv1-0 enable
 FortiGate (settings) # end
FortiGate # get vpn ssl settings | grep tls
tlsv1-0 : enable
tlsv1-1 : enable
tlsv1-2 : enable
dtls-tunnel : enable

Try to connect…

Tadaaa !!!

It looks like to be a real solution because the real issue is located. In this case, it is possible to use an Operating System which supports TLS 1.1 and 1.2 or to activate TLS 1.0 at the FortiGate Firewall. It’s your choice.

Version 5.4.3 change the ciphers automaticly to high !
Lets debug the SSL VPN service.

FortiGate # diagnose debug application sslvpn -1
FortiGate # diagnose debug enable

Start SSL-VPN Connection

[75:root:61]Destroy sconn 0x329ae300, connSize=0. (root)
[75:root:62]allocSSLConn:264 sconn 0x32914300 (0:root)
[75:root:62]SSL state:before/accept initialization (84.16.30.46)
[75:root:62]SSL state:fatal handshake failure (84.16.30.46)
[75:root:62]SSL state:error:(null)(84.16.30.46)
[75:root:62]SSL state:error:(null)(84.16.30.46)
[75:root:62]SSL_accept failed, 1:no shared cipher
[75:root:62]Destroy sconn 0x32914300, connSize=0. (root)
[75:root:63]allocSSLConn:264 sconn 0x329ca300 (0:root)
[75:root:63]SSL state:before/accept initialization (84.16.30.46)
[75:root:63]SSL_accept returned 0.

„no shared chipher“, let’s go to change that.

FortiGate # config vpn ssl settings
FortiGate (settings) # set algorithm medium
FortiGate (settings) # end

Try again and „Tadaa“, again !!!

Thumbs up, if you could resolve your issue by this article and write something into the commentary 😉 Thanks in advance!

Article Tags:
· · ·
Article Categories:
FortiGate · SSL/TLS · Troubleshooting

Comments to FortiGate SSLVPN – Connecting… (40) – Unable to establish the VPN connection. The VPN server may be unreachable. (-5)

  • ‚Been trying to fix this on my Windows 7 for a week now. Your post is a lifesaver. Thanks!

    Vergel 23. Februar 2017 10:21
  • Worked like a charm, was breaking my head with google for very long until i ended here….

    Imaduddin mohammed 23. MĂ€rz 2017 9:36
  • That is the truly fix! Congrats for the real troubleshooting here.

    B. Araujo 21. April 2017 15:01
  • Worked well, thank you 🙂

    MM 23. Mai 2017 10:46
  • Awesome, Thanks a lot

    Rohit 3. August 2017 1:00
  • Superrrrrrr Thanks a lot.

    Srikanth 11. August 2017 13:51
  • Can u help me for -455 error in fortigate on windows 10.i have tried with wan miniport repair n install but still issue remains same.

    Thanks in advance

    Kashif 1. MĂ€rz 2018 5:26
    • Hey Kashif,
      post the extact error message! If you fight with the WAN Mini Port, then seems to be a challenge with an IPSec Tool.

      Alexander Ries 29. Mai 2018 0:16
  • Lovely…Worked like a Charm!

    Feroz 29. MĂ€rz 2018 13:44
  • with win 7 , i fixed was enable TSL 1.1 and TSl 1.2 in internet option-> tab advanced -> sercurity

    tuan 23. April 2018 5:22
  • Very good article

    emnoc 27. April 2018 15:16
  • heyy
    Im getting the message same message on debug log „SSL_accept failed, 1:no shared cipher“ but i cant find the attribute for „set algorithm“ in the cli, please help how do i fix that?

    ismailo 29. Mai 2018 12:33
    • Hey Ismailo,
      this command should still be supported in version 5.4. Let me know which version is running.

      Because i don’t know how familiar your are with FortiOS i start from scratch.
      1. config vdom (if you have some)
      2. edit „vdomname“
      3. config vpn ssl settings
      4. set ?

      Post the output of the CLI here, please. Or paste the output where you stuck.

      Cheers

      Alexander Ries 29. Mai 2018 22:36
      • Hi Isailo,

        i got the same that i do not have the option to say set algorithm medium. What would be the next step i could try? V5.6.0

        André Ammermann 10. Januar 2019 0:37
  • thank you! this post was helpful, currently there is almost similar behavior in Win10 1803, Microsoft’s KB 4458166, released on Tuesday. I use FortOS 6.02 with default tlsv1-0 disable.

    Don 8. September 2018 8:37
  • heyy
    Im getting the message same message on debug log “SSL_accept failed, 1:no shared cipher” but i cant find the attribute for “set algorithm” in the cli, please help how do i fix that?

    I have same issue, can you please explain which VDOM to configure SSL.root or the one going out to WAN? can somebody please explain

    Datz 27. September 2018 8:40
  • Thank you so much you save my day ^^

    Ahmed 7. Mai 2019 11:25
  • I am very grateful for your efforts put on this article.

    This article is very informative, updated and translucent.
    Can I expect you may post this type of another article inthe nearr future?

    Best regards,
    Boswell Valenzuela

    Flossie 5. November 2020 6:23
  • i can not run the command: get vpn ssl settings | grep tls
    u can see output in the picture

    John 22. Juli 2022 4:52

Schreibe einen Kommentar