Staff

Troubleshooting Tip: Cannot login to VPN after accepting MFA with the SAML SSO on Azure Entra debug error 'SSLVPN configuration is wrong. (-7200)'

Forum|Forum|1 year ago
January 10, 2025
0 replies
2464 views

Description

This article describes how to resolve the issue of SSL VPN if a user cannot connect to SSL VPN after accepting MFA with SAML MFA on Azure Entra.

Scope

FortiGate.

Solution

SAML server is configured on FortiGate.

The user is getting an error of 'Credentials or SSL VPN configuration is wrong (-7200)' on FortiClient after accepting MFA.

Run SAML and SSL VPN debug on FortiGate.

diagnose debug reset

diagnose debug application sslvpn -1

diagnose debug application fnbamd -1

diagnose debug application samld -1

diagnose debug console timestamp enable

diagnose debug enable

Time expired error shows in SAML debug on FortiGate.

[296:root:a881]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
[296:root:a881]fsv_rmt_saml_login_cb:105 SAML resp 10816.
[296:root:a881]fsv_rmt_saml_login_cb:116 magic id: magic=xxxxxxxxxx
[296:root:a881]fsv_rmt_saml_login_cb:143 idx 1 epoch: 2dc672c5d7e48b18
[296:root:a881]fsv_rmt_saml_login_cb:159 wrong vdom (0:0) or time expired.
[296:root:a881]saml login [296:43137] SAML_ERROR: Error occurred during remote login 'wrong vdom (0:0) or time expired'

For MFA authentication, verify the remote authentication value. The default remote authentication timeout value is 5 seconds. Increase the timeout value for MFA to 60 seconds.

config system global
set remoteauthtimeout 60

end

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded