| When enabling Authentication KeepAlive causes the IPsec VPN with SAML not to connect.
After the end user enters the Single-Sign-On credential for SAML, FortiClient responds with 'IPSec Connection is down' or directly brings back to the 'Connect' page.
Debug commands for IPsec troubleshooting (Technical Tip: Troubleshoot IPsec SAML Dial UP tunnel) show that traffic stops after FortiGate sends the Authentication Keepalive Portal. No IKE negotiation is initiated between FortiGate and the end user.
Sample Log:
FortiClient initiated SAML authentication:
[authd_local_saml_auth:5778]: SAML login with UID '2D56XXXXXXXXXXX30A4D3DA0E'.
[authd_http_prepare_javascript_redir:3942]: https://54.252.41.X:9443/saml?070c028b958de7bd
End user provided SSO/SAML credentials, which were received by FortiGate.
samld_send_common_reply [95]: Attr: 10, 43, 'username' 'adimailig@fortinet-us.com'
samld_send_common_reply [95]: Attr: 10, 51, 'group' '014XXXXX-XXXX-XXXX-XXXX-XXXXX9a'
<>
[authd_http_on_saml_msg:4612]: user 'adimailig@fortinet-us.com'.
[authd_http_on_saml_msg:4604]: group '014XXXXX-XXXX-XXXX-XXXX-XXXXX9a'.
KeepAlive Portal is sent by FortiGate to FortiClient, and the connection stops. IKE negotiation not initiated.
[authd_http_prepare_javascript_redir:3942]: https://54.252.41.X:9443/keepalive?07060802060e090d
<> [132] __saml_auth_cache_push-Auth cache created, user='2D56XXXXXXXXXXX30A4D3DA0E', SAML_server='IPSEC_SAML', vfid=0
[139] __saml_auth_cache_push-Hash bucket 198
[186] __saml_auth_cache_push-New auth cache entry is created, user='2D56XXXXXXXXXXX30A4D3DA0E', saml_user='adimailig@fortinet-us.com', expires=1746003434, SAML_server='IPSEC_SAML', vfid=0
This issue has been resolved in v7.6.4.
Workaround:
Disable Authentication KeepAlive to connect to the IPSEC VPN with SAML.
config system global set auth-keepalive disable end
Related articles:
Technical Tip: Troubleshoot IPsec SAML Dial UP tunnel
Technical Tip: Authentication keepalive page
Technical Tip: How to read SAML Debug output | 
