Forticlient – The server you want to connect requests identification, please choose a certificate and try again. (-5)


Last week, I was confronted to a strange problem with a customer which use Forticlient from Fortinet to establish SSL VPN access from outside to its office. Each time the collaborator wants to establish the connection with the VPN Gateway (a Fortigate 100D, running FortiOS 5.6.3), the following error appears after the connection process reached 40% :

This behaviour appeared just after upgrading the Firewall to 5.4.4 to 5.6.3, so the first thing I thinked is that the version of Forticlient is too old, but even after upgrading the Forticlient to the latest version available the problem was the same. My second test was to trying to establish the connection from another computer with the same account and credentials. I was very surprised to show that the connection was successful ! Please note that I used exactly the same Forticlient version.

After this observation, I concluded that the problem is on the client computer. Actually, I was not able to understand what cause this difference between my computer and the computer of the collaborator. Both running the same Windows version… Forced to admit that I did not find the problem on the computer, I decided to analyze the connection attempt directly on the Fortigate.

To analyze SSL VPN traffic on Fortigate, open a SSH connection to it and run the following commands:

diagnose debug application sslvpn -1
diagnose debug enable

And try to establish a connection with the computer that cause problem. In my case, I saw the following:

[204:root:96]allocSSLConn:280 sconn 0x7ffda0976400 (0:root)
[204:root:96]SSL state:before SSL initialization (
[204:root:96]SSL state:before SSL initialization:DH lib(
[204:root:96]SSL_accept failed, 5:(null)
[204:root:96]Destroy sconn 0x7ffda0976400, connSize=2. (root)
[212:root:99]allocSSLConn:280 sconn 0x7ffda096f800 (0:root)
[212:root:99]SSL state:before SSL initialization (
[212:root:99]SSL state:before SSL initialization (
[212:root:99]SSL state:SSLv3/TLS read client hello (
[212:root:99]SSL state:SSLv3/TLS write server hello (
[212:root:99]SSL state:SSLv3/TLS write certificate (
[212:root:99]SSL state:SSLv3/TLS write key exchange (
[212:root:99]SSL state:SSLv3/TLS write server done (
[212:root:99]SSL state:SSLv3/TLS write server done:system lib(
[212:root:99]SSL state:SSLv3/TLS write server done (
[212:root:99]SSL state:SSLv3/TLS read client key exchange (
[212:root:99]SSL state:fatal bad record mac (

As you can see, the SSL_accept state is failed that mean that no suitable algorithm suits has been found between the client en the server. The only solution I found at the moment is to configure the Fortigate so that it allows these weaker cryptographic suites. For this, you must change the “algorithm” parameter in the SSL VPN configuration on the Fortigate CLI with the following commands:

config vpn ssl settings
set algorithm medium

By default the parameter is set to “high”. Try to go down to medium and if it still does not work, set it to “low” to validate that the problem comes from there. I advise however to try to solve the problem on the client’s post because this solution is just a workaround.

Bookmark the permalink.


  1. Hi Cyrill,
    many thanks for this workaround, I was facing this issue for a long time.


  2. Hi Cyrill,
    I found a solution on the client side:

    On the Client in IE / Options / Advanced
    Turn on TLS 1.2 and TLS 1.3


  3. bodairullahkhan

    thanks I also faced same issue and resolved this.

  4. Thanks for your help ,its works for me.

    • Cyrill Gremaud

      Happy to help you. Please if you like my blog, subscribe to receive an e-mail when I post a new article 🙂

  5. Thank you ,shivaaz…

  6. THank you cyrill! it worked for me. i was going crazy trying to find a solution for the longest time.

  7. I tried your method but it did not work.

    However, I managed to get my issue fixed after running IISCrypto and disabling SSL 3.0.

    I hope this helps those who encounters the same issue as I do.

  8. Vishal P Bulbule

    Dear Shivaj,

    Thank you very much. After disable SSl 3.0 in IE, issue has been resolved.

  9. Well done.. Thanks shivaaz it worked

  10. Thank all

    After disable SSl 3.0 in IE and enable SSL 2.0 and tick Use TLS 1.1, issue has been resolved.

  11. Thanks to all. below changes – resolved the issue on my system.

    On the Client in IE / Options / Advanced
    Turn on TLS 1.2 and TLS 1.3

  12. FYI this could also be the DH Parameters in config system global. I had to set this down to 2048 bit modulus to get older FortiClient versions to connect.

  13. Thanks to all for your hints, which helped me to surround the error.

    In my case, I got exactly the same error messages, but the problem was nothing about cipher suit settings on the Win 10 client PC. The user of the FortiClient wasn’t an administrator and like this, there was a missing read access permission for the private key of the used certificate. I grant read access for “Domain Users” on the key and then it worked.
    So the Fortigate error messages guide me in a quite wrong direction.

  14. Hello,

    If i setthe parameter to Medium or Low. Will it effect other operations.

  15. I have been confronted the same issue for a long time ,but it still persists even if the tls setting is set as 1.1,1.2 and 1.3 and SSL 3.0 is disabled.
    I am crazy !!!

  16. Kanagaraj Periapandi

    Thank you so mcuh.

    Really It’s good stuff. All the best

  17. The server you want to connect to requests identification, please choose a certificate and try again(-14)

  18. please help to me

  19. Fernando Garcia

    Tildando TLS del 1.0 al 1.2 y destildando TLS 3.0 funciono genial. Muchas gracias

  20. Thats an awesome workaround.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.