Pauline got the following error at 40%:

http://srvfail.com/common-forticlient-ssl-vpn-errors/

Common FortiClient SSL VPN errors

This is a repost of a post from an old blog, made on July 13, 2012, that used to be on:

http://wp.me/p25nt4-71

http://adminramble.com/common-forticlient-ssl-vpn-errors/

Original post:
I see from the stats that one of the posts with the most visits is the one about the
FortiClient SSL VPN error “the vpn server may be unreachable. (-5)” so i decided to
add another post describing some of the most common errors that may come up
when connecting to FortiGate with SSL VPN.

1. Connecting process stops at 10, error “Unable to establish the

VPN connection. The VPN server may be unreachable.”
 This is most commonly caused by, either the firewall blocking any kind of traffic
towards the VPN server IP address or the FortiClient application itself by the firewall
on the host or on the network, or either by routing errors towards the IP address of
the VPN server.

The problem can usually be solved by adjusting the host or network firewall rules on
the client side.

Sometimes in rare cases I have found the problem is caused by error on the FortiGate
device, in this case no one is able to connect to the VPN neither using SSL VPN or
IPsec but the internal networks can go to all local networks and the external internet
connection. In that case a simple reboot of the device solves the problem.

2. Connecting process stops at 80, error “Unable to logon to the

server. Your username or password may not be configured
properly for this connection. (-12)”

As the error states itself the most common problem is that either the username or the
password isn’t matching the one of the device.

Other problems might be:

– the user is not in the correct user group that has VPN access (either the local
firewall group or the LDAP server group if you’re using one)

– there isn’t a corresponding firewall policy rule that allows access for the user group
to any of the internal networks. You need to have the rule from the wan interface to
one of the internal interfaces with action SSL-VPN and select the group of users
which will have access, check if your user is in correct group.

– you might be trying to connect to VPN from the wrong side of the interface (from
one of your internal networks or from the network of one of the sites you already
have a site to site connection.
– UPDATE: Special characters are being used in the password. (See this serverfault
thread)

3. Connecting process stops at 40, error “Unable to establish the

VPN connection. The VPN server may be unreachable -5”

As you can see in one of my earlier posts “the vpn server may be unreachable. (-5)”,
the problem can sometimes be caused by some sort of VNC server on the machine.

Other possible problems can be:

– the firewall rules on local machine, or on the network gateway ( I have rarely found
this to be the problem with this error)

– problems with the FortiGate device, in most of the time the device would be the
problem and the problem would go away after the reboot of the FortiGate device, but
would come again after the few days. In this case the problem would most of the time
be with the extensive logging of the traffic and the events on the device. So try to
remove traffic logging on some of the rules or events.

http://tipsnetworking.blogspot.co.za/2015/05/forticlient-vpn-ssl-stops-at-40_27.html

Forticlient VPN SSL Stops at 40%

It is very strange your computer can not manage login to VPN via forticlient. you try connect
to VPN SSL Fortigate and stop at 40% , and come out message error "Unable to establish the
VPN connection. The VPN server may be unreachable (-5)".

There is two ways fix this problem.

Change your MTU interface computer via command

prompt
o Click the "Windows Button" on the task bar.
o Click "All Programs".
o Click "Accessories".
o Right Click on "Command Prompt" then click "Run as adminstrator".
o Then type "netsh interface ipv4 show subinterface".
o Press Enter
you will see a list of network interface

Note :
 If your connection using wireless then change MTU on "Wirelless Network Connection"
 If you connection using cable then change MTU on "Local Area Network"

o Type "netsh interface ip4 set subinterface wireless network connection

mtu=1300 store=persistent"
o Press Enter and restart your computer

Change your interface MTU computer using Register

Editor
o Open regedit as an administrator account
o Navigate to HKLM\System\CurrentControlSet\Services\tcpip\parameters\
interface\[Choose the interface in the question] (Do this by checking the correct IP address is
in the setting under this key for the adapter you are configuring)
o Once your are in the correct key for your interface, right-click and select new DWORD
value (32bit)
o Call it MTU
o Change the Hexadecimal value equal to the setting 514

o Close the Register Editor window and restart your computer

Now you able to login VPN SSL Fortigate without any problem

39 comments:
1.

Bradley WhiteAugust 23, 2015 at 7:48 PM

Thank you for advice and VPN client.

Visit this site.
top10-bestvpn.com
Reply

2.

Richard B. McCallSeptember 17, 2015 at 5:28 PM

This comment has been removed by the author.

Reply

3.

Richard B. McCallSeptember 23, 2015 at 12:04 AM

Thank you.Cool advice for VPN client.Nice manual and configuration for it.
http://10webhostingservice.com/
Reply

4.
 Luke de WetSeptember 29, 2015 at 9:31 PM

Unfortunately did not resolve my problem. Still get 40, server not found error
Reply

5.

Misono DwiyogaSeptember 30, 2015 at 11:21 AM

Hi Luke,
did you already change MTU for the correct interface? please try do ping [ip address of your VPN SSL] -
l 1400 -f, if you get result "Packet needs to be fragmented but DF set."
and please try change the MTU with 1400 not 1300
Reply

6.

Waleed CordyDecember 17, 2015 at 7:17 PM

That was very helpful , working now.. :)

Reply

7.

MuthuJanuary 7, 2016 at 5:52 AM

Not working for me :(

Reply

8.

JACFebruary 6, 2016 at 5:04 AM

I have the same problem but your sugestion didn't solve my problem :(
Reply

9.

Brett DarlingFebruary 29, 2016 at 9:53 AM

The fix for me was:

Control Panel > Internet Options > Advanced > Security ensure TLS 1.1 and TLS 1.2 are enabled.
Reply

Replies

1.

YasinApril 22, 2016 at 8:29 PM

Thanks Brett it worked for me god bless you

2.

Ibrahim AmbusaidiJune 21, 2016 at 2:03 PM

Thanks Brett it worked for me.

3.

Shiva KumarJuly 6, 2016 at 7:20 PM

Thanks Brett...your are a master.

4.

Guillermo AlayzaAugust 25, 2016 at 8:46 PM

This solution worked for me. After trying a bunch stuff.

Thanks!!!

5.

buce triasSeptember 9, 2016 at 9:59 AM

Alhamdulillah.. thanks brother

6.

manISeptember 26, 2016 at 1:20 PM

FInally this solved my problem on a very monday morning, Thank you.

7.

UnknownOctober 5, 2016 at 8:56 PM

THANK YOU SO MUCH... I've googled everything there is and this is solution of this problem.
You are the best!!!

8.

Danny MeyerDecember 2, 2016 at 8:08 PM

this solution worked for me! I haven't even attempted Misono's solution.
Thanks Brett!

9.

Andre TiburcioDecember 31, 2016 at 5:35 AM

That was the solution, after 3 hours and a terrible Fortinet Debug Log file!!!
10.

5000April 3, 2017 at 7:40 PM

Brett you are the man

11.

UnknownApril 5, 2017 at 5:35 PM

Hi We tryed this option , it work on one machine , and other mchine its greyed ticked ,still not
working.

Please help.

12.

Victor ReyesApril 18, 2017 at 6:28 AM

This comment has been removed by the author.

Reply

10.

Diego PardoMarch 2, 2016 at 8:49 PM

Thanks Brett Darling !! Excellent

Reply

11.

UnknownMarch 4, 2016 at 6:15 PM

Thank you Brett _ VPN started working with your suggestion.

Reply

12.

Misono DwiyogaMarch 5, 2016 at 7:22 AM

Thanks brett for your share....
Reply

13.

ChrisMarch 23, 2016 at 1:23 AM

Thank you, Brett Darling!

"Control Panel > Internet Options > Advanced" and there a reset of all settings did it for me! :-)
Reply
14.

VijayMarch 27, 2016 at 2:48 PM

In have changed the mtu of my wireless connection interface to 1300/.Still no luck,I am facing the same
issue.

(Canopy 64bit) C:\WINDOWS\system32>netsh interface ipv4 show subinterface

MTU MediaSenseState Bytes In Bytes Out Interface

------ --------------- --------- --------- -------------
1300 1 17372466 1266982 Wireless Network Connection
1500 5 0 0 Local Area Connection* 2
4294967295 1 0 22442 Loopback Pseudo-Interface 1
1500 5 0 0 Bluetooth Network Connection
1500 5 0 0 Local Area Connection* 3
1500 5 0 0 Ethernet
1500 5 0 0 Local Area Connection
Reply

15.

UnknownMarch 30, 2016 at 1:50 PM

Brett Darling: Thanks!!! Its works!

Reply

16.

danny55July 13, 2016 at 4:00 AM

Thanks
Reply

17.

Matthias TanJuly 27, 2016 at 11:17 AM

Brett Darling: It's working!!!!

Reply

18.

Chris SzellAugust 3, 2016 at 7:56 PM

We faced a similar issue, however our fix was to enable the TLS 1.1. and 1.2 in the advanced options of
Internet Explorer. Once we did that, users with Windows 7 could connect to Forticlient 5.4.1 or below.
Reply

19.

Chris SzellAugust 3, 2016 at 7:56 PM

 We faced a similar issue, however our fix was to enable the TLS 1.1. and 1.2 in the advanced options of
Internet Explorer. Once we did that, users with Windows 7 could connect to Forticlient 5.4.1 or below.
Reply

20.

Rafiq AhmedSeptember 19, 2016 at 4:39 PM

yes finally it worked for me. after enabling the TLS 1.1 and 1.2
Reply

21.

UnknownDecember 6, 2016 at 5:53 PM

My IE work offline make problem.

Reply

22.

Alexander RiesDecember 15, 2016 at 3:42 AM

Thanks, great article and it is really helpful! I found the endsolution

http://www.layer8.one/fortigate-sslvpn-connecting-40-unable-to-establish-the-vpn-connection-the-vpn-
server-may-be-unreachable-5/
Reply

23.

Swapnil PatilFebruary 13, 2017 at 12:18 PM

i tried TLS 1.1. and 1.2 in and its worked

thanks for sharing

Reply

24.

Andile QwabeApril 5, 2017 at 6:33 PM

the TLS 1.1 and 1.2 are greyed out please help.
Reply

Replies

1.

Andile QwabeApril 5, 2017 at 6:36 PM

TLS Settings are ticked but grayed out , and still can connect. Please help.
2.

shindehrushiApril 11, 2017 at 3:43 PM

try creating New USer profile for your windows login with Administrator rights and Done !!
it worked for me
Reply

25.

shindehrushiApril 11, 2017 at 3:42 PM

Hello,
If nothing goes well, simply create New USer profile for your windows login with Administrator and Done
!!
Use VPN in new profile

Thanks
Reply