Troubleshooting Tip: IKEv2: unexpected payload type 41

When troubleshooting Dial Up IPsec VPN with IKEv2, the following error is seen in IKE debugs: 

ike V=root:0:IPsec-Home-W:17: responder received EAP msg
ike V=root:0:IPsec-Home-W:17: unexpected payload type 41
ike V=root:0:IPsec-Home-W:17: schedule delete of IKE SA de9a206cc7d94ad0/957aa4c9698f726b
ike V=root:0:IPsec-Home-W:17: scheduled delete of IKE SA de9a206cc7d94ad0/957aa4c9698f726b
ike V=root:0:IPsec-Home-W: connection expiring due to phase1 down

Following IKE debugs can be run to troubleshoot the dial-up IPsec VPN issues:

diagnose vpn ike log-filter clear
diagnose vpn ike log filter src-addr4 x.x.x.x <----- Address to connect the IPsec (e.g., for loopback, secondary or specific IP used for IPsec VPN).
diagnose vpn ike log-filter dst-addr4 x.x.x.x <----- Replace x.x.x.x with the Public IP of the Test user PC.
diagnose debug application ike -1

diagnose debug application fnbamd -1  <----- Enable to see this for any authentication issue. 
diagnose debug console timestamp enable
diagnose debug enable

To stop the debugs:

diagnose debug disable

diagnose debug reset 

Note:
Starting from v7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4' and 'diagnose vpn ike log filter src-addr4' command to 'diagnose vpn ike log filter loc-addr4'.

This issue was reported with both FortiClient macOS 14 and 15 and Windows 11 version. To resolve this issue, check the preshared key on both sides (FortiGate and FortiClient) and make sure that they are the same.

ISAKMP payload 41 is 'Notify'. This payload has different sub-types. When the pre-sharded key does not match, FortiClient will send a 'Notify type 24 (AUTHENTICATION_FAILED)'.