Skip to main content
btan
Staff & Editor
btan
Staff & Editor
January 6, 2025

Troubleshooting Tip: FortiClient free version can connect to SAML IPsec VPN, but FortiClient full client version is unable to connect to SAML IPsec VPN

  • January 6, 2025
  • 0 replies
  • 3107 views

 

Description This article describes how to troubleshoot a scenario whereby when using the FortiClient free version, the user can connect to SAML IPsec VPN, but when using the FortiClient full version, the user is unable to connect to SAML IPsec VPN.
Scope FortiClient v7.2.4 and above.
Solution

IPsec VPN with SAML is a new supported feature starting from FortiClient v7.2.4, see IPsec VPN SAML-based authentication.

Test case 1: When using the FortiClient free version, the user can connect to SAML IPsec VPN.
Test case 2: When installing the FortiClient full version and joining FortiClient EMS, the user cannot connect to SAML IPsec VPN.

 

When reproducing the issue in Test case 2, run IKE debug on FortiGate:

 

diagnose debug disable

diagnose debug reset
diagnose debug console timestamp en
diagnose vpn ike log filter rem-addr4 x.x.x.x <-- Replace x.x.x.x with the endpoint public IP.
diagnose debug application ike -1
diagnose debug application fnbamd -1
diagnose debug application samld -1
diagnose debug enable
 
The below output can be seen:

2024-11-25 00:07:49.678804 ike 0:VPN-SAML1: connection expiring due to phase1 down <---------
2024-11-25 00:07:49.678822 ike 0:VPN-SAML1: deleting
2024-11-25 00:07:49.678843 ike 0:VPN-SAML1: deleted
2024-11-25 00:07:53.222643 ike 0: comes 71.163.111.183:4500->173.79.222.162:4500,ifind
ex=7,vrf=0....
2024-11-25 00:07:53.222700 ike 0: IKEv2 exchange=AUTH id=f08b5ff17757de23/feb6fae6e6da
1398:00000001 len=672
 
To disable debugs on FortiGate:
 
diagnose debug disable
diagnose debug reset
 
In the FortiClient logs, the below output can be seen:

[2024-11-25 00:47:05.6197183 UTC-04:00] [1480:7836] [FortiVPN 2223 error] !!! fortivpn::StateMachine::HandleTunnelDisconnected session 1 (companyA\imageadmin) "SAML-VPN" disconnected unexpectedly!
[2024-11-25 00:52:51.9251778 UTC-04:00] [1480:7836] [FortiVPN 2223 error] !!! fortivpn::StateMachine::HandleTunnelDisconnected session 1 (companyA\imageadmin) "SAML-VPN" disconnected unexpectedly!
[2024-11-25 00:59:27.0425154 UTC-04:00] [1480:7836] [FortiVPN 1874 error] fortivpn::StateMachine::HandleTunnelConnectFailed session 1's (companyA\imageadmin) vpn connection failed (reason: "Failed Unknown")
[2024-11-25 00:59:27.0434631 UTC-04:00] [1480:7836] [FortiVPN 2223 error] !!! fortivpn::StateMachine::HandleTunnelDisconnected session 1 (companyA\imageadmin) "SAML-VPN" disconnected unexpectedly!

This can be due to EAP is not being enabled in the FortiClient EMS endpoint profile.
To fix this, go to FortiClient EMS -> Endpoint Profiles -> Remote Access -> (select) -> Edit -> (select the tunnel) -> Edit -> Advanced Settings -> Turn on 'Enable XAuth' -> Save the tunnel -> Save the profile.
 

kb-jan2025-1.PNG 
This Xauth setting is an EAP setting, it is displayed wrongly as 'Xauth' in GUI in FortiClient EMS.
This GUI displays an inaccurate issue that is planned to be fixed in the future FortiClient EMS version.

 

Related article:

Troubleshooting Tip: IPsec Tunnel (debugging IKE) 
    Terms & ConditionsAccessibility statement