Troubleshooting Tip: Unable to establish the dial-up VPN connection as it gets stuck at the X Auth stage
| Description | This article describes an issue where dial-up VPN users are not getting authenticated, even for local users, on a FortiGate device. |
| Scope | FortiGate. |
| Solution | After validating the configurations for Phase 1 and Phase 2, all settings are correct. All parameters for Phase 1 and Phase 2 matched, and the x-auth configuration is properly in place. However, the user is still unable to connect to the VPN, as the x auth is being denied. For VPN debugging troubleshoot commands, refer the following article: Troubleshooting Tip: IPsec VPN tunnels.
Note: The debugging results below come from enabling debugging in the linked article.
2025-05-11 10:17:29.727061 ike V=root:0:Temp_0:6: received XAUTH_USER_NAME 'test1' length 8
This issue occurs because the fnbamd daemon is being invoked multiple times, likely due to resource constraints - either CPU or memory allocation.
diagnose system top 2 20 fnbamd 2073 S 99.9 4.2 0 <----- Consuming high CPU.
Another reason is that the daemon is crashing.
diagnose debug crashlog read
One of the reasons for the daemon fnbamd crashing is enabling HTTPS on the WAN interface. Invalid users may trigger a DoS attack on the WAN interface, causing fnbamd to crash or consume high CPU or memory resources. As a result, fnbamd becomes unavailable for new authentication requests, leading to dial-up VPN users failing to authenticate. Consequently, the dial-up VPN connections fail.
Solution: Disable HTTPS on the WAN interface. Before disabling the HTTPS option on the WAN, ensure access to the firewall through LAN cables or via VPN is available. |