Monday, June 13, 2022

FortiClient - RSA New Pin Is Wrong (-7201) error

This message is somewhat misleading.

One of our users was attempting to login to the VPN and their Active Directory password had expired.
When they tried to follow the steps to enter their new password they received the above error message.

The root cause was that the new password they were trying to use did not meet the Active Directory password complexity requirements.

So while the error message itself is pretty generic it appears that this is simply what is returned from the back-end Radius server. Not much the Fortigate can do to further interpret the error.
It would be up to the Radius vendor to send a more descriptive error message.

Wednesday, March 23, 2022

Problems with FortiClient 7.0.2 and Firefox

 We noticed during recent testing that FortiClient 7.0.2 has an issue with Firefox, specifically any Google services such as Google Search and GMail.

While web-filtering was enabled on the client an initial access to Google would work in Firefox, however after a minute or so nothing would happen when trying to refresh the browser session.

The root cause appears to be related to 0RTT (Zero Round Trip Time) and only affects Firefox but not other browsers. Fortinet has tracked this as bug ID 766869.

The issue is resolved in FortiClient 7.0.3 and a workaround is to disable 0RTT in Firefox using the following procedure:

Firefox browser window:

  • about:config
  • Search for security.tls.enable_0rtt_data
  • set the value to false

Wednesday, September 2, 2020

FortiClient EMS Cloud Login Problem - Solved

 I noticed today that when you logout from your cloud based FortiClient EMS instance and then try to login again you receive the following error message in Firefox:

{"result": {"retval": 0, "message": "Local signin is not available in EMS Cloud"}} 

 It appears to be a cookie related issue in Firefox. When I delete any cookies in the browser referencing "forticlient" I am able to login normally.
Also, this appears to be limited to Firefox as Chrome works fine, even without messing with the cookies.

Thursday, August 23, 2018

Beware - Upgrade to FortiOS 5.6.3+ with IPSec VPNs

If you are upgrading from version 5.4.5, 5.4.6, or 5.4.7 to FortiOS 5.6.3, the IPsec phase1 psksecret setting might be lost. To avoid this, upgrade to FortiOS 5.6.2 and then to 5.6.3. If the psksecret setting is lost, you will need to reconfigure it after upgrading.

Even if you have saved configs you will need to reset the passwords since FortiOS 5.6.3 will not allow you to paste the encrypted passwords from 5.4.x versions.

Ironically Fortinet on their Support site states that the "recommended" upgrade path is from 5.4.5 directly to 5.6.3 - see screenshot below.