FortiClient SSL VPN Error

VPN Error KB ID 0001795

Problem

I have a FortiGate/FortiClient test bench setup for testing, and its to been used for a while. When I attempted to use it this happened;

FortClient password may not be configured -12 Error

Unable to logon to the server. Your username or password may not be configured properly for this connection. (-12)

While messing around trying to fix it I also got this error;

ortClient VPN Server May be Unreachable -14 Error

Unable to establish the VPN connection. The VPN server may be unreachable. (-14)

Disclaimer: That second error can also be caused if the FortiClient is unlicensed (which you can clearly see, it is.) So this might be a red herring.

VPN Error: Solution

This took ages for me to fix. The common consensus is this is usually caused by a setting in the machines internet properties. Open an administrative command windows and run itnetcpl.cpl The firs this I was asked to do was  > Advanced  >  Reset > Tick Delete Personal Settings > Reset.

FortClient VPN Error

Security > Trusted Sites (set slider to Medium) > Sites > Add in the URL my FortiClient was trying to reach, (yours will be a public IP or DNS name)  > Close.

FortClient VPN Error inetcpl

Advanced Tab > Security > Tick Use SSL 3.0  > Apply > OK.

FortClient Test LDAP

In my case all of these DID NOT solve my problem, I’ve seen strange errors with LDAP username and passwords, so I made sure the firewall could ping the FQDN of the LDAP server, and it successfully authenticated me (I’ve seen the GUI auth test work, and the command line one fail in the past).

FortClient Test LDAP

Then I debugged the SSL VPN and got the following error;

FortClient Debug SSL VPN

Removed for tunnel connection setup timeout.

In the end I changed TWO things and it started to work. Firstly I uninstalled the FortiClient, and installed the latest version.

FortiClient VPN Only

Secondly I looked at my SSL VPN Settings and noticed the group was set to a firewall group and NOT my LDAP (Active Directory) group. which I changed.

FortiNet AD user group

Other possible fixes I found on my trawl – that were not applicable to me;

  • Active Directory User Account (Account or Password Expired)
  • Theres no firewall policy for the SSL VPN Traffic (See this article).
  • Your AD password is using some ‘Odd Characters“, (test with an alphameric password).
  • Your AD user has “user must change the password on next login” enabled.
  • You’re trying to cone too eh SSL VPN fro BEHIND the FortiGate (not outside).

So this seems like a very generic error. If you come up with a different fix, or one that didn’t work for me, but worked for you. Please take the time to post below to help the next technical traveller.

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published.