Forticlient – The server you want to connect requests identification, please choose a certificate and try again. (-5)

Hello,

Last week, I was confronted to a strange problem with a customer which use Forticlient from Fortinet to establish SSL VPN access from outside to its office. Each time the collaborator wants to establish the connection with the VPN Gateway (a Fortigate 100D, running FortiOS 5.6.3), the following error appears after the connection process reached 40% :

This behaviour appeared just after upgrading the Firewall to 5.4.4 to 5.6.3, so the first thing I thinked is that the version of Forticlient is too old, but even after upgrading the Forticlient to the latest version available the problem was the same. My second test was to trying to establish the connection from another computer with the same account and credentials. I was very surprised to show that the connection was successful ! Please note that I used exactly the same Forticlient version.

After this observation, I concluded that the problem is on the client computer. Actually, I was not able to understand what cause this difference between my computer and the computer of the collaborator. Both running the same Windows version…¬†Forced to admit that I did not find the problem on the computer, I decided to analyze the connection attempt directly on the Fortigate.

To analyze SSL VPN traffic on Fortigate, open a SSH connection to it and run the following commands:

And try to establish a connection with the computer that cause problem. In my case, I saw the following:

As you can see, the SSL_accept state is failed that mean that no suitable algorithm suits has been found between the client en the server.¬†The only solution I found at the moment is to configure the Fortigate so that it allows these weaker cryptographic suites. For this, you must change the “algorithm” parameter in the SSL VPN configuration on the Fortigate CLI with the following commands:

By default the parameter is set to “high”. Try to go down to medium and if it still does not work, set it to “low” to validate that the problem comes from there. I advise however to try to solve the problem on the client’s post because this solution is just a workaround.

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *