Skip to main content
ssanga
Staff & Editor
ssanga
Staff & Editor
January 9, 2026

Technical Tip: Dial-up IPsec VPN fails to connect for users with large group names or many groups

  • January 9, 2026
  • 0 replies
  • 1113 views
Description

This article describes an issue where dial-up IPsec VPN users may fail to connect if the authentication server returns large group names or many groups.
Scope

FortiGate IKEv2.

FortiOS v7.4.9 and earlier, v7.6.4 and earlier.
Solution

VPN users may fail to connect to a dial-up IPsec VPN when the user belongs to multiple groups.
On affected firmware versions, the maximum RADIUS packet size that the EAP proxy can successfully receive internally from the fnbamd daemon is 8192 bytes. Messages larger than the maximum are discarded, and the fnbamd daemon shows a RADIUS connection timeout.

During the issue, the following logs may be seen in fnbamd and eap_proxy debugs.

 

diagnose debug application fnbamd -1

diagnose debug application eap_proxy -1

diagnose debug enable

.

.

[1175] fnbamd_socket_update_interface-vfid is 0, intf mode is 0, intf name is , server address is 127.0.0.1:1812, source address is null, protocol number is 17, oif id is 0
[354] __rad_udp_send-oif=0, intf_sel.mode=0, intf_sel.name=
RADIUS SRV: Received 8192 bytes from 127.0.0.1:2002
[871] __rad_rxtx-Sent radius req to server 'EAP_PROXY': fd=11, IP=127.0.0.1(127.0.0.1:1812) code=1 id=3 len=9709 <<<<<<<
[880] __rad_rxtx-Start rad conn timer.
RADIUS SRV: Received data - hexdump(len=8192):
01 03 25 ed 82 c4 79 cf 99 b4 eb 72 3b ae c3 89 e7 3a 23 ad 4f 27 02 4b 00 25 01 34 39 32 36 45
.
.
RADIUS: Invalid message length
RADIUS SRV: Parsing incoming RADIUS frame failed
[731] __rad_conn_timeout-Connction with EAP_PROXY:127.0.0.1 timed out.


In the following firmware versions, the maximum EAP message size has been increased, which increases the maximum number of groups that can be successfully received:

 

 

These timelines for firmware release are estimated and may be subject to change.
General debug information required by FortiGate TAC for investigation:

  • Debugs:

 

diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug application ike -1
diagnose debug application eap_proxy -1
diagnose debug application samld -1
diagnose debug enable

 

Reproduce the issue. Disable the debug with:


diagnose debug reset

diagnose debug disable

 

  • TAC Report:

execute tac report

 

Or:

 

diagnose debug report

 

The following article also shows steps to collect the debug logs & TAC report: Technical Tip: Download Debug Logs and 'execute tac report'.

 

  • Configuration file of the FortiGate.
    Terms & ConditionsAccessibility statement