Skip to main content
nathan_h
Staff & Editor
nathan_h
Staff & Editor
February 7, 2025

Troubleshooting Tip: Unable to login on SSL VPN (48 %) using SAML Microsoft Entra after an FortiGate upgrade to v7.4.7/v7.0.17/v7.2.11/v7.4.8 'error, could not found corresponding saml session 101'

  • February 7, 2025
  • 0 replies
  • 12952 views
Description

 

This article describes a workaround when it is not possible to log in on SSL VPN with SAML Microsoft Entra ID relying on an internal browser in FortiClient v7.4.x. The issue was observed when the FortiGate was upgraded to v7.0.17, v7.2.11, v7.4.8, v7.4.7, or v7.6.2. SSL VPN debug shows 'error, could not found corresponding saml session 101'. The issue was found when using FortiClient v7.4.x. The FortiClient was stuck on 48 %.

 

Scope

 

FortiGate v7.0.17, v7.2.11, v7.4.8, v7.4.7 and v7.6.2, FortiClient v7.4.x.

 

Solution

 

Run the SSL VPN debug on FortiGate:

 

diagnose debug reset
diagnose debug disable
diagnose vpn ssl debug-filter src-addr4 <PC Public IP> <----- Change <PC Public IP> to the PC Public IP.
diagnose debug console timestamp enable
diagnose debug app sslvpn -1
Debug messages will be on for 30 minutes.

diagnose debug enable

 

Sample Debug Output:

 

[3734:root:1a8]req: /remote/info
[3734:root:1a8]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[3734:root:1a8]capability flags: 0x3cdf
[3734:root:1a8]req: /remote/saml/login
[3734:root:1a8]Transfer-Encoding n/a
[3734:root:1a8]Content-Length 9453
[3734:root:1a8]readPostEnter:19 Post Data length 9453.
[3734:root:1a8]fsv_rmt_saml_login_cb:100 magic id: magic=1-f3c2fbe7dc77c783
[3734:root:1a8]fsv_rmt_saml_login_cb:127 idx 1 epoch: f3c2fbe7dc77c783
[3734:root:1a8]fsv_rmt_saml_login_cb:131 error, could not found corresponding saml session 101.
[3734:root:1a8]saml login [3734:424] SAML_ERROR: Error occurred during remote login 'could not found corresponding saml session (101)'

 

On the SSL VPN monitor, users appear connected in Web Mode, even though the VPN connection gets stuck at 48%. After configuring the 'Use the external browser as user-agent for SAML user authentication' option, the connection is established successfully, and the user appears connected as a Tunnel Connection.


Captura de pantalla 2026-01-20 181134.jpg

  

Workaround:

Starting from v7.0, using an external browser in FortiClient may yield better results. Enable 'Use the external browser as user-agent for saml user authentication' on FortiClient. The recommended external browser is Edge. Set Edge as the default browser and delete the browser cache before first use. 

 

2025-02-06 14 54 29.png

 

Another workaround is to use FortiClient v7.2.x or v7.4.3+.

      Terms & ConditionsAccessibility statement