Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiClient 7.4.0 Administration Guide
    7.4.0
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0

    Wrong certificate selected

    Wrong certificate selected

    Similar to the error in No connection, the connection progress stops at 48% and Credential or SSLVPN configuration is wrong (-7200) displays.

    To troubleshoot authentication errors, enable fnbamd debugs on the FortiGate:

    diagnose debug enable

    diagnose debug application fnbamd -1

    Reconnect to the VPN and observe the debugs. If a wrong certificate is selected, the following places may indicate as such:

    [320] fnbamd_chain_build-Extend chain by system trust store. (no luck)

    [352] fnbamd_chain_build-Extend chain by remote CA cache. (no luck)

    When verifying the certificate, there is no certificate chain back to the certificate authority (CA). This indicates one of the following:

    • CA certificate was not installed on the FortiGate.
    • Wrong client certificate is being used to connect.

    This output indicates that the certificate subject field identifies a user called Tom Smith. This indicates that a user certificate is likely being used rather than a machine certificate:

    [366] peer_subject_cn_check-Cert subject 'DC = info, DC = fortiad, OU = Sales, CN = Tom Smith, emailAddress = tsmith@ztnademo.com'

    Previous
    Next

    Wrong certificate selected

    Wrong certificate selected

    Similar to the error in No connection, the connection progress stops at 48% and Credential or SSLVPN configuration is wrong (-7200) displays.

    To troubleshoot authentication errors, enable fnbamd debugs on the FortiGate:

    diagnose debug enable

    diagnose debug application fnbamd -1

    Reconnect to the VPN and observe the debugs. If a wrong certificate is selected, the following places may indicate as such:

    [320] fnbamd_chain_build-Extend chain by system trust store. (no luck)

    [352] fnbamd_chain_build-Extend chain by remote CA cache. (no luck)

    When verifying the certificate, there is no certificate chain back to the certificate authority (CA). This indicates one of the following:

    • CA certificate was not installed on the FortiGate.
    • Wrong client certificate is being used to connect.

    This output indicates that the certificate subject field identifies a user called Tom Smith. This indicates that a user certificate is likely being used rather than a machine certificate:

    [366] peer_subject_cn_check-Cert subject 'DC = info, DC = fortiad, OU = Sales, CN = Tom Smith, emailAddress = tsmith@ztnademo.com'

    Previous
    Next