This article describes how to check the TLS version negotiated by a client machine trying to connect to an SSL VPN using FortiClient.
Some FortiClient machines may experience the following error below when trying to connect:
It indicates that the TLS version between the client and FortiGate does not match.
Even running the debug for SSL VPN on the FortiGate, will show an ‘unsupported protocol’ for the connection that the client machine is trying to initiate.
The default minimum TLS version on the FortiGate to accept SSL VPN connections is tls1.2:
Scope
FortiGate.
Solution
To check the TLS version negotiated by the client machine, Perform packet capture on FortiGate’s external interface where it accepts SSLVPN connections
From GUI
Step 1: Go to Network > Packet Capture and select ‘Create new‘. Filter the interface and the port used by SSL VPN.
Step 2: Run the packet capture then initiate the connection from the FortiClient.
Step 3: Stop the debug then download the .pcap file
Step 4: Open the .pcap file using the Wireshark application
Step 5: Look for the TLS Client hello with the source IP(Public IP in most cases) of the FortiClient machine after the TCP three-way handshake.
Step 6: Select the TLS Client Hello, Then expand the ‘Transport Layer Security’
The TLS version is shown after.
It is possible to filter TLS client hello on Wireshark using the following:
_ws.col.info == "Client Hello" or tls
On the windows machines, It is possible to check the available TLS versions that the machine will use to negotiate, Open ‘Internet Options’ and then the ‘Advance’ tab:
