How to fix: FortiClient Connection Error -112

This error is from Big Sur, but a similar message appears on Windows and other MacOS versions.

Problem: Some users trying to connect to VPN using FortiClient receive the error “Connection Error!” This error appears with no apparent pattern in OS or FortiClient version.

This error on its own is not helpful. For more detail export the FortiClient logs and open fortiagent.log:

20210524 13:07:34.070 [sslvpn:INFO] unknown:0 try to get cookie for the first time
20210524 13:07:35.084 [sslvpn:EROR] unknown:0 no SVPNCOOKIE found
20210524 13:07:35.085 [sslvpn:EROR] libsslvpn:587 Failed to login to fortigate : -112
20210524 13:07:35.085 [fctgui:EROR] FCTVpnConnection:1704 -112 -
20210524 13:07:35.085 [fctgui:INFO] FCTVpnConnection:1760 failure happens so terminate this vpn connection

“Failed to login to fortigate : -112” was a consistent error on the non-working clients. I also noted codes -111 and -113 on a couple machines. Most of my research into this error indicates that it can be resolved by trying different versions of the client. Try it, it may work for you. But for me I tried several different versions with no luck. I had to keep digging.

In my case this error is caused by how we used AD to provision VPN. We use nested security groups and gave the parent group VPN access. Normally this is a good practice as it makes management easy but the FortiGate didn’t like it. The result was that some users worked just fine while others didn’t. The ones who did work were direct members of the group.

How to fix: You could change your AD group membership and add people directly, but if you have a lot of users that’s not ideal. Instead, modify the VPN User Group on the FortiGate so that the nested AD groups are specified directly in the Remote Groups section. You can specify multiple groups.

Add your nested groups directly to the Remote Groups