Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
RobBlenk
Staff
Staff

Created on ‎10-25-2023 06:28 AM

Article Id 280823

Troubleshooting Tip: FortiClient VPN stops at 40% with PKI users

Description

This article describes what could be the cause if the FortiClient VPN fails to connect at 40% with PKI certificate authentication.
Scope FortiClient SSL VPN with PKI certificate authentication.
Solution

The logs will show the Action as 'ssl-exit-error' and the Reason as 'DH lib'.

 

ArticleShot.png

 

SSL-VPN application real time debug will show the following:

 

client cert requirement: yes
SSL state:SSLv3/TLS read client hello (x.x.x.x)
SSL state:SSLv3/TLS write server hello (x.x.x.x)
SSL state:SSLv3/TLS write certificate (x.x.x.x)
SSL state:SSLv3/TLS write key exchange (x.x.x.x)
SSL state:SSLv3/TLS write certificate request (x.x.x.x)
SSL state:SSLv3/TLS write server done (x.x.x.x)
SSL state:SSLv3/TLS write server done:system lib(x.x.x.x)
SSL state:SSLv3/TLS write server done:DH lib(x.x.x.x)      <-- After the DH line, the connection fails.
SSL_accept failed, 5:(null)

 

Uninstall and reinstall the client certificate.

 

Note: In this instance the client certificate is not expired. It just needs to be reinstalled.

 

Troubleshooting:

 

diagnose debug reset

diagnose vpn ssl
diagnose debug application sslvpn -1
diagnose debug enable

 

Related article:
Technical Tip: PKI user with two factor authentication for SSL VPN.
4052
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.