Skip to main content
Kush_Patel
Staff
Kush_Patel
Staff
August 20, 2025

Troubleshooting Tip: How to resolve the error ‘Not enough buffer for EAP message’ when connecting to a dial-up IKEv2 tunnel VPN with a local user

  • August 20, 2025
  • 0 replies
  • 1634 views
Description

This article describes a scenario that occurs when trying to connect to the dial-up IKEv2 tunnel with a local user without MFA (Multi-Factor Authentication), where the debug output provides the error 'Not enough buffer for EAP message'.
Scope FortiGate 7.4 and above.
Solution

Run the following CLI commands to troubleshoot the issue with the dial-up IKEv2 tunnel:

 

diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug application fnbamd -1
diagnose debug application eap_proxy -1
diagnose debug enable

 

The following error can be seen in the output:


2025-08-07 13:03:34 [1503] fnbamd_rad_process-Challenged: 0, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 0, No_Messa
ge_Authenticator_Attr: 0, State_Len: 0
2025-08-07 13:03:34 [2804] fnbamd_rad_result-Error (10) for req 13499276255236
2025-08-07 13:03:34 [133] fnbamd_comm_send_result-Not enough buffer for EAP message
2025-08-07 13:03:34 [239] fnbamd_comm_send_result-Sending result 10 (nid 0) for req 13499276255236, len=6688
2025-08-07 13:03:34.339776 ike V=root:0:ike2-fct:11 EAP 13499276255236 result FNBAM_TIMEOUT
2025-08-07 13:03:34.345554 ike V=root:0:ike2-fct: EAP failed for user "user"
2025-08-07 13:03:34.353568 ike V=root:0:ike2-fct: EAP response is empty
2025-08-07 13:03:34 2025-08-07 13:03:34.358568 ike V=root:0:ike2-fct: connection expiring due to EAP failure
2025-08-07 13:03:34.368264 ike V=root:0:ike2-fct: going to be deleted

 

To resolve this issue, try making sure a certificate exists in 'system.global.wifi-certificate':


config system global

(global) # get | grep wifi
wifi-ca-certificate : 
wifi-certificate : 


If there is any certificate assigned, make sure that the same certificate is in 'vpn.certificate' using the following commands:

 

config vpn certificate local

(local) # get | grep 'certificate_name'

 

If no certificate is assigned, assign a certificate as shown below:

 

config system global

(global) # set wifi-certificate Fortinet_Factory

(global) # set wifi-ca-certificate Fortinet_CA

(global) # end


After that, the local user will be able to connect to the VPN tunnel successfully. IKEv2 makes use of the same EAP proxy that was originally implemented for Wi-Fi, which is why the 'wifi-certificate' is required.
    Terms & ConditionsAccessibility statement