Forticlient – The server you want to connect requests identification, please choose a certificate and try again. (-5)

Hello,

Last week, I was confronted to a strange problem with a customer which use Forticlient from Fortinet to establish SSL VPN access from outside to its office. Each time the collaborator wants to establish the connection with the VPN Gateway (a Fortigate 100D, running FortiOS 5.6.3), the following error appears after the connection process reached 40% :

This behaviour appeared just after upgrading the Firewall to 5.4.4 to 5.6.3, so the first thing I thinked is that the version of Forticlient is too old, but even after upgrading the Forticlient to the latest version available the problem was the same. My second test was to trying to establish the connection from another computer with the same account and credentials. I was very surprised to show that the connection was successful ! Please note that I used exactly the same Forticlient version.

After this observation, I concluded that the problem is on the client computer. Actually, I was not able to understand what cause this difference between my computer and the computer of the collaborator. Both running the same Windows version… Forced to admit that I did not find the problem on the computer, I decided to analyze the connection attempt directly on the Fortigate.

To analyze SSL VPN traffic on Fortigate, open a SSH connection to it and run the following commands:

And try to establish a connection with the computer that cause problem. In my case, I saw the following:

As you can see, the SSL_accept state is failed that mean that no suitable algorithm suits has been found between the client en the server. The only solution I found at the moment is to configure the Fortigate so that it allows these weaker cryptographic suites. For this, you must change the “algorithm” parameter in the SSL VPN configuration on the Fortigate CLI with the following commands:

By default the parameter is set to “high”. Try to go down to medium and if it still does not work, set it to “low” to validate that the problem comes from there. I advise however to try to solve the problem on the client’s post because this solution is just a workaround.

Bookmark the permalink.

17 Comments

  1. Hi Cyrill,
    many thanks for this workaround, I was facing this issue for a long time.

    S.

  2. Hi Cyrill,
    I found a solution on the client side:

    On the Client in IE / Options / Advanced
    Turn on TLS 1.2 and TLS 1.3

    S.

  3. bodairullahkhan

    thanks I also faced same issue and resolved this.

  4. Thanks for your help ,its works for me.

    • Cyrill Gremaud

      Happy to help you. Please if you like my blog, subscribe to receive an e-mail when I post a new article 🙂

  5. Thank you ,shivaaz…

  6. THank you cyrill! it worked for me. i was going crazy trying to find a solution for the longest time.

  7. I tried your method but it did not work.

    However, I managed to get my issue fixed after running IISCrypto and disabling SSL 3.0.

    I hope this helps those who encounters the same issue as I do.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.