Common FortiClient SSL VPN errors

I see from the stats that one of the posts with the most visits is the one about the FortiClient SSL VPN error “the vpn server may be unreachable. (-5)” so i decided to add another post describing some of the most common errors that may come up when connecting to FortiGate with SSL VPN.

  1. Connecting process stops at 10, error “Unable to establish the VPN connection. The VPN server may be unreachable.”

     

    Connecting hangs at 10
    This is most commonly caused by, either the firewall blocking any kind of traffic towards the VPN server IP address or the FortiClient application itself by the firewall on the host or on the network, or either by routing errors towards the IP address of the VPN server.
    The problem can usually be solved by adjusting the host or network firewall rules on the client side.
    Sometimes in rare cases I have found the problem is caused by error on the FortiGate device, in this case no one is able to connect to the VPN neither using SSL VPN or IPsec but the internal networks can go to all local networks and the external internet connection. In that case a simple reboot of the device solves the problem.
  2.  

  3. Connecting process stops at 80, error “Unable to logon to the server. Your username or password may not be configured properly for this connection. (-12)”

     

    Connecting hangs at 80, wrong username or password
    As the error states itself the most common problem is that either the username or the password isn’t matching the one of the device.
    Other problems might be:
    - the user is not in the correct user group that has VPN access (either the local firewall group or the LDAP server group if you’re using one)
    - there isn’t a corresponding firewall policy rule that allows access for the user group to any of the internal networks. You need to have the rule from the wan interface to one of the internal interfaces with action SSL-VPN and select the group of users which will have access, check if your user is in correct group.
    - you might be trying to connect to VPN from the wrong side of the interface (from one of your internal networks or from the network of one of the sites you already have a site to site connection
  4.  

  5. Connecting process stops at 40, error “Unable to establish the VPN connection. The VPN server may be unreachable -5″

    As you can see in one of my earlier posts “the vpn server may be unreachable. (-5)”,  the problem can sometimes be caused by some sort of VNC server on the machine.
    Other possible problems can be:
    - the firewall rules on local machine, or on the network gateway ( I have rarely found      this to be the problem with this error)
    - problems with the FortiGate device, in most of the time the device would be the problem and the problem would go away after the reboot of the FortiGate device, but would come again after the few days. In this case the problem would most of the time be with the extensive logging of the traffic and the events on the device. So try to remove  traffic logging on some of the rules or events.

     

    Don't log all of your traffic

Hope somebody finds this helpful
 

28 thoughts on “Common FortiClient SSL VPN errors

  1. Pingback: FortiClient unable to connect to VPN. Possible solutions

  2. “The server you want to connect requests identification, please choose a certificate and try again. (-5)” This error for me had nothing to do with choosing a certificate. Instead, I use a SOCKS server and did not establish my SSH SOCKS connection (Internet Options, Connections, LAN settings, Proxy Server checked and Advanced has SOCKS set — I use a Cygwin SSH tunnel, which also provides the SOCKS protocol support). Once I started the SSH tunnel, this misleading error went away. This LAN setting is not supposed to be related to the FortiSSL VPN connection but it certainly does when going through the SSL handshake.

    On a related note, if you want to use SOCKS with a FortiNet VPN connection, make sure you set Internet Properties, Connections, fortissl, Settings to use a proxy server and select Advanced to configure the proxy address and port.

  3. Hi i am not able to connect to my forticlient vpn….the following error appears

    Unable to logon to the server. Your login credentials not be configured properly for this connection.

    • On the client side, check if you have set the correct username and password, and a correct certificate if you are using it for login (or no certificate if you’re not using it for vpn login).

      On the FortiGate side check if your user belongs to a user group that has vpn access (or if you’re using LDAP connector, that it is working properly on the device and LDAP server, check the username that it is set to use to read the LDAP). Check if for your user group exists a corresponding firewall rule that allows it to access some of the network that the FortiGate controls access to.

      • sorry I am not that technical….I just know that it was working fine till yesterday and now suddenly it is malfunctioning….can you explain it in simple terms

        Thanks

        • check the login data you were given for vpn (username, password, client certificate fields on the FortiClient SSL VPN),
          if you are sure that they are correct then the problem is probably on the device you are trying to connect to, and you will have to ask the person who is responsible for it (probably the same person that gave you the FortiClient and the username) to look for possible problems on it.

  4. If you’re sure that the username and the password are correct you have to check the device on the other side of the VPN connection with the person responsible for it. Firewall rules, groups and LDAP connections as I said in the first response

    • Well I don’t know how helpful this will be to others but this error occurs when cookies are not enabled for SSL VPN for it to function in WEB portal or for the Forticlient SSL client.

      Access to the web portal or tunnel will fail if InternetExplorer has the privacy Internet Options set to High. If set to High, Internet Explorer willl:

      ~ Block cookies that do not have a compact privacy.
      ~ Block cookies that use personally identifiable information without your explicit consent.

      I enabled my cookies and it worked for me.

      Thanks anyways for your support…Hope this works for others.

      R’s
      Prashant dwivedi

    • in my experience when it stops at 98 it was always the client side error. Do you have any firewall like ZoneAlarm or Comodo on, or do you have http filtering on in your antivirus.

      Is this home network or corporate one, can you try connecting from some other computer in the same network or from the same computer in another network to see if the error is network based (like gateway firewall) or host based (antivirus, desktop fw, ..).

      you might try restarting your cable/ADLS router if this is home network

      You might also try connecting via browser by going to https://your_vpn_server:10443 (check in you Forticlient Server address field for port, you might be using different one) if this is enabled on Fortigate. Sometimes it works that way even when it doesn’t work for standalone vpn client.

      Also when you try to connect do you have in the server field of Forticlient only server_adress or server_address:portnumber, try adding the port number manualy if you don’t have it

  5. Hello, after installation of FortiClient 4.2.3.0271 on my PC with Windows 7 Professional 64-bit SP1, don’t have internet traffic.

    How to do ? I must to go in VPN with Fortinet and to go in Internet with browser.
    Thank You.
    Charly

    • Is you VPN IPsec or SSL VPN, if it is SSL VPN you can try uninstalling the full FortiClient and just installing the FortiClient SSL VPN, I’ve heard of problems with IPsec client but i’m not sure how to fix it

  6. Hello, I have FortiClient SSL VPN installed on my laptop (OS is Windows Vista).
    When I try to connect the connection process stops at 10 giving the same dialog box as shown in your post. However I did not quite understand the solution – what do you mean by ‘adjusting the host or firewall rules’ and how do I do this? I tried switching off Windows Firewall but that did not solve the problem. Could someone please help?

    • adjusting host or network firewall rules, means to allow the traffic from the the computer with FortiClient SSL VPN to FortiGate (VPN server) address, do you have control over the router on you network (where your PC is), it maybe that the network firewall doesn’t allow the traffic

      • Yes I have control over the router. I use broadband. How do I adjust these rules?

        On another note – I just realised that everything I download from the web is not installing on my laptop for reasons such as – “You must be connected to the internet to complete installation” or “Unable to download (SendRequest Error)” or “Unable to load application configuration” . I have just connected my laptop to the internet after a period of two years. What could be the reasons for these errors? They all seem to be linked. I would greatly appreciate your help. Not being able to install anything is extremely frustrating.

  7. Yes I have control over the router. I use broadband. How do I adjust these rules?

    On another note – I just realised that everything I download from the web is not installing on my laptop for reasons such as – “You must be connected to the internet to complete installation” or “Unable to download (SendRequest Error)” or “Unable to load application configuration” . I have just connected my laptop to the internet after a period of two years. What could be the reasons for these errors? They all seem to be linked. I would greatly appreciate your help. Not being able to install anything is extremely frustrating.

  8. Hello,
    I tried to connect with FortiClient SSLVPN 4.0.2267, and get the -12 message (Unable to logon to the server …) on a Windows 7 cumputer.
    I tried with another Windows 7 computer, with the same login / passwd / IP address/ Port Number, and it works.
    I compared every thing I could on the 2 computers, and didn’t find any difference.
    The FireWall is the same (Avast), configuration is the same for Fortinet appli
    The Internet properties are the same

    What else can it be ???
    Thank for your answer.

  9. After connecting with FortiClientSSL, my internet access does not work. If I disconnect the access back to work. Has anyone had this problem?

  10. Or…make sure Internet Explorer isn’t in offline mode. Mine _had been_ but wasn’t…I “turned it off[line] and on again” anyway and now both Fortigate and the Weather gadget work.

    Very less than obvious with a freshly installed PC and you’ve already switched to your preferred browser.

  11. My experience has shown that

    10% means:
    – No internet connection or not authenticated to the internet
    – Local firewall is blocking the VPN

    40% means:
    – No internet connection or not authenticated to the internet
    – Local firewall is blocking the VPN

    80% means:
    – User is not configured for VPN in the firewall, Active Directory group or on host computer
    – Domain Controller at host location is unavailable/offline
    – Password expired
    – Reinstall Forticlient if others are correct

    98% means:
    – User’s password is expired
    – Reinstall Forticlient if others are correct

Leave a Reply