Skip to main content
jangelis
Staff
jangelis
Staff
March 18, 2026

Troubleshooting Tip: During migration from SSL VPN to IKEv2, LDAPs receive the error 'wrong credentials, eap failed'

  • March 18, 2026
  • 1 reply
  • 761 views
Description This article describes an issue where, when configuring a new dial-up access to migrate users from SSL VPN to IPsec IKEv2 with the same LDAP authentication an error that mentions 'wrong credentials, eap failed' is observed. Despite this, the same user can connect to the SSL VPN server. 
Scope FortiGate.
Solution

Run the following debugs while the user is connecting.

 

diagnose debug reset
diagnose debug console timestamp enable
diagnose vpn ike log filter rem-addr4 x.x.x.x <----- Public IP of the endpoint.
diagnose debug application ike -1
diagnose debug application fnbamd -1
diagnose debug application eap_proxy -1
diagnose debug enable

 

The following error appears in the debug output:

 

... EAP: EAP entering state RECEIVED
... EAP: parseEapResp: rxResp=1 respId=43 respMethod=21 respVendor=0 respVendorMethod=0
... EAP: EAP entering state INTEGRITY_CHECK
... EAP: EAP entering state METHOD_RESPONSE
... SSL: Received packet(len=13) - Flags 0x00
... SSL: Received packet: Flags 0x0 Message Length 0
... SSL: (where=0x4004 ret=0x22d)
... SSL: SSL3 alert: read (remote end reported an error):fatal:certificate expired
... SSL: (where=0x2002 ret=0xffffffff)
... SSL: SSL_accept:error in error
... OpenSSL: openssl_handshake - SSL_connect error:0A000415:SSL routines::ssl/tls alert certificate expired
... SSL: 0 bytes pending from ssl_out
... SSL: Failed - tls_out available to report error
... EAP-TTLS: PHASE1 -> FAILURE

 

In this case, confirm which certificate is being used for EAP-TLS:

 

get system global | grep wifi
wifi-ca-certificate : Fortinet_Wifi_CA
wifi-certificate    : Fortinet_Wifi

 

The issue might be that these certificates have expired:

 

expired certificatesexpired certificates

 

These certificates are updated from FortiGuard in a certificate bundle , or part of the built-in bundle included on each firmware , newer firmware would include a newer built-in certificate bundles.

Ensure that the latest certificate bundle is installed. The certificate bundle version installed on FortiGate can be confirmed using the following command:

 

FG201F-4 # get system auto-update versions | grep -A7 "Certificate Bundle"
Certificate Bundle
---------
Version: 1.00062
Contract Expiry Date: n/a
Last Updated using manual update on Fri Jan 9 21:57:00 2026
Last Update Attempt: Thu Mar 19 03:52:02 2026
Result: No Updates

 

For offline units that cannot connect to FortiGuard, the certificate bundle can be manually updated using TFTP. The Fortinet TAC team can provide the certificate bundle package.

To manually import a newer bundle, use the following command:
 
execute vpn certificate ca import bundle <CA bundle filename with .pkg extension> <TFTP server IP>

 

Related articles:

1 reply

M1kemclain247
M1kemclain247
Visitor III
May 12, 2026

Good day am getting the same error 

why does the local wifi certificate affect VPN IPSEC? 

Terms & ConditionsAccessibility statement