I’m hoping someone here can help. I’ve worked with Fortinet support for over a month to resolve the issue. As stated, ssl vpn hangs at 40%. I’ve done all the suggested solutions. Delete personal certs, etc. What is strange is if I browse to a server hosted behind the fortigate, the vpn connection will complete and ask for my token. Anyone else have a similar issue with it and if so, what did you do to resolve the issue?
Make sure you don’t have a pop-up for certs behind the VPN box.
It’s annoying it doesn’t focus on the pop-up, I’ve gotten many calls on “My VPN client is stuck”.
The hidden cert acceptance striking again. On a more serious note. Dont use a VPN without a valid cert. There is a reason they warn you so many times.
Likely a certificate issue
It’s 2024. It’s been three years that Fortinet started embedding the possibility to use Let’s encrypt certificates. Here is how : Automatically provision a certificate | FortiGate / FortiOS 7.4.3 | Fortinet Document Library “To generate a certificate using ACME and Let’s Encrypt:”
From my handy dandy VPN troubleshooting notes…
The VPN certificate setting could be wrong
Check the ’Do Not warn invalid server certificate’ VPN Settings is ticked
My recent problem at 40% was cert acceptance. I was overhauling the VPN to reduce the out of country traffic slamming the firewall.
I set up the new interface at an IP. We use a wildcard cert.
I didn’t notice the cert approval windows until 2 days later. I am not sure if they always showed in the task bar. I certainly didn’t see them at the time and shelves the project until I had better focus.
When I did see them, I put in a DNS entry and it’s working fine.
Now if I can only get the recent free VPN client to install on OSX Sonoma…
Do you usually use an MFA solution? If so, if using a test account, make sure MFA is setup
My wxpierence 40% is because the user your using does not have explicit permissions to use that tunnel
If you are using a user group, remove the group and specify users.
I did and the solution for us was to go back to an older client 7.0.11 I think it is
Add conditional policy
If you need a cert for your SSL VPN use the Let’s Encrypt it’s free.
You def need a cert but also go into the config, for the specific VPN you have there is a line that says „standard user use system cert“ or something like that. It needs to be set to 1. that solved our 40% problem especially if it sometimes works and sometimes not.
Been there, could also be a problem with the TPM Module: Windows 10 TPM 2.0 Client Authentication in TLS 1.2 with RSA PSS making trouble - Microsoft Q&A
Disable ipv6 on whatever interface is using ssl VPN, had this issue a lot over the years.
Setup auto certificate renewal with LetsEncrypt and use a hostname to connect instead of IP
Sometimes I have to reboot the computer . Sometimes the ssl-vpn window comes up at exact 40%
Maybe you didn’t allow the connection through your computers firewall. Connect it again and another tab will pop up that needs your confirmation
Here’s my notes :
10% network routing issue
40% if you use MFa, the token might have delay or latency, it could also be policy issue (check firewall logs if there’s denied traffic) or SSL invalid certificate
48-68% the user account can be blocked on the MFA management platform.
70% error 6008 - Issue with AAD SAML - Disable “Restrict Specific OS” and “hostcheck” to connect.
98% issue with IPv6. If you’re using network sharing with 4G hotspot you might need to check APN network settings and disable IPv6.
Or check this KB:
Had the same issue, at 40% ssl vpn hangs.
In Windows 10, press Windows button, type Internetoptions, TAB Advanced. Check the TLS versions being used.
Mine where on TLS 1.0 and TLS 1.1.
Changing to TLS 1.2, it solved my “40%” issue.
Hope this helpes.